cursor-sdk
Guides users in building applications and automations using the Cursor TypeScript SDK, ensuring efficient integration and error handling.
Install this skill
or
68/100
Security score
The cursor-sdk skill was audited on May 19, 2026 and we found 12 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
medium line 132
Template literal with variable interpolation in command context
SourceSKILL.md
| 132 | console.error(`run failed: ${result.id}`); |
medium line 138
Template literal with variable interpolation in command context
SourceSKILL.md
| 138 | console.error(`startup failed: ${err.message}, retryable=${err.isRetryable}`); |
medium line 46
Webhook reference - potential data exfiltration
SourceSKILL.md
| 46 | | Building a specific integration (CI review bot, scheduled triage, chat, webhook) | [`references/patterns.md`](references/patterns.md) | |
medium line 114
Webhook reference - potential data exfiltration
SourceSKILL.md
| 114 | Use across process boundaries: a cron that continues last night's cleanup, a webhook that extends a user's agent, an interactive CLI that reloads conversation state. **Inline `mcpServers` are not pers |
medium line 227
Webhook reference - potential data exfiltration
SourceSKILL.md
| 227 | A cloud `bc-`-prefixed agent ID is **not** a run ID. If you only have a run ID (from a log or a webhook), pass it to `Agent.getRun` with the runtime hint; don't confuse the two. |
low line 61
Access to .env file
SourceSKILL.md
| 61 | apiKey: process.env.CURSOR_API_KEY!, |
low line 76
Access to .env file
SourceSKILL.md
| 76 | apiKey: process.env.CURSOR_API_KEY!, |
low line 106
Access to .env file
SourceSKILL.md
| 106 | apiKey: process.env.CURSOR_API_KEY!, |
low line 192
Access to .env file
SourceSKILL.md
| 192 | const models = await Cursor.models.list({ apiKey: process.env.CURSOR_API_KEY! }); |
low line 10
External URL reference
SourceSKILL.md
| 10 | Use this skill to help someone **bootstrap a working integration quickly** and **avoid the handful of traps that bite new users**. Canonical docs live at [https://cursor.com/docs/api/sdk/typescript](h |
low line 183
External URL reference
SourceSKILL.md
| 183 | The SDK reads `CURSOR_API_KEY` if `apiKey` isn't passed. Both user keys (from [https://cursor.com/dashboard/cloud-agents](https://cursor.com/dashboard/cloud-agents)) and team service-account keys (Tea |
low line 235
External URL reference
SourceSKILL.md
| 235 | - The Cloud Agents REST API (`/v1/agents/*`). If the user needs a non-TS client, the REST API is documented separately at <https://cursor.com/docs/cloud-agent/api>; check there for current capabilitie |
Scanned on May 19, 2026
View Security Dashboard