Menu
Debug AI suggestion quality, context issues, and code generation problems in Cursor. Triggers on "debug cursor ai", "cursor suggestions wrong", "bad cursor completion", "cursor ai debug", "cursor hallucination".
Audit a Node.js project's installed npm dependency tree for known CVEs by wrapping the npm audit JSON output and emitting findings in the canonical penetration-tester schema. Detects direct AND transitive vulnerabilities, normalizes npm's severity scale (info/low/moderate/ high/critical) to the shared Severity enum, and parses both v1 and v2 audit output formats so the skill works against npm 6 and npm 7+ lockfiles. Use when: pre-merge gate on a Node project, post-incident sweep after a transitive package compromise (e.g. event-stream, ua-parser, node-ipc, color.js), SOC2 vendor-management evidence collection, or auditing an inherited or acquired Node codebase. Threshold: any HIGH or CRITICAL CVE in the resolved dependency tree. MODERATE / LOW reported informationally. Trigger with: "audit npm deps", "npm vulnerability scan", "check node packages for CVEs", "npm audit".
Audit a Python project's installed dependencies for known CVEs by wrapping pip-audit (PyPA's official vulnerability auditor) and emitting findings in the canonical penetration-tester schema. Detects vulnerable direct AND transitive packages, normalizes pip-audit's severity output via OSV severity bands, falls back to pip list --outdated when pip-audit isn't installed, and supports requirements.txt, pyproject.toml (PEP 621), Pipfile.lock, and poetry.lock as input sources. Use when: pre-merge gate on a Python project, post-incident sweep after a PyPI compromise (e.g. ctx, request-toolbelt typosquats, ultralytics 8.3.42 compromise), SOC2 evidence collection, or inheriting an unfamiliar Python codebase. Threshold: any HIGH or CRITICAL CVE in the resolved dependency tree. MODERATE / LOW reported informationally. Trigger with: "audit python deps", "pip vulnerability scan", "check pypi packages for CVEs", "pip-audit run".
Audit a project's dependency licenses against an explicit policy (allow-list / deny-list / review-required) and flag incompatibilities before they ship to production. Reads SPDX license identifiers from npm package manifests, Python METADATA / PKG-INFO files, and pyproject.toml; classifies each license by family (permissive, weak-copyleft, strong-copyleft, proprietary, unknown); detects copyleft contamination and SPDX-incompatible license combinations. Use when: pre-release legal review, M&A code-audit due diligence, preparing an OSS attribution NOTICE file, or switching a project's own license. Threshold: any GPL-family license in a project declaring MIT or Apache-2.0; any UNKNOWN-license package; any metadata-vs-source license mismatch. Trigger with: "check licenses", "license compliance audit", "SPDX scan", "GPL contamination check".
Read findings JSONL files from cluster 1-4 skills, deduplicate by fingerprint, group by severity, and compose a deliverable- grade markdown vulnerability report with per-finding sections (title, severity, target, detail, remediation, evidence) and a top-level summary table. The canonical written artifact a customer receives at engagement close; precise, reproducible, machine- checkable against source findings. Use when: closing an engagement, generating an interim report, regenerating after CVE or OWASP enrichment, or producing the input for generating-executive-summary. Threshold: findings missing required fields are dropped. HIGH and CRITICAL findings highlighted in the summary section. Trigger with: "compose vuln report", "write pentest report", "generate vulnerability deliverable", "render findings to report".
Verify that a penetration test has explicit, written, signed authorization before any scanning begins. Reads a Rules-of- Engagement (ROE) attestation file, validates required fields (authorizer, in-scope targets, time window, emergency contact, signature), checks the signer against an allowlist, and emits a CRITICAL finding if anything is missing. Designed as the first skill the orchestrator routes to. Use when: starting a new engagement, after a scope change, or before any cluster 1-4 scan skill runs. Threshold: any missing or unsigned ROE field; any time-window expiry; any in-scope target outside the authorized list. Trigger with: "confirm authorization", "verify ROE", "check pentest authz", "pre-flight authorization".
Parse the ROE scope definition, enumerate every in-scope target (hostnames, IPs, CIDRs, URLs, cloud accounts, SaaS tenants), validate syntax, detect overlap with out-of-scope or known third-party SaaS ranges, and emit a normalized target list plus IP allowlist for scanning tools. Runs after confirming-pentest- authorization and before any cluster 1-4 scan. Use when: starting an engagement, expanding scope mid-engagement, validating that a target list matches the ROE, or generating an allowlist for an external scanner. Threshold: malformed syntax, in-scope overlap with out-of-scope, reserved or third-party SaaS ranges without acknowledgement. Trigger with: "define scope", "enumerate targets", "validate target list", "generate IP allowlist".
| name | cursor-debug-bundle |
| description | Debug AI suggestion quality, context issues, and code generation problems in Cursor. Triggers on "debug cursor ai", "cursor suggestions wrong", "bad cursor completion", "cursor ai debug", "cursor hallucination". |
| allowed-tools | Read, Write, Edit, Bash(cmd:*) |
| version | 1.0.0 |
| license | MIT |
| author | Jeremy Longshore <jeremy@intentsolutions.io> |
| tags | ["saas","cursor","debugging"] |
| compatibility | Designed for Claude Code, also compatible with Codex and OpenClaw |
Diagnose and fix AI suggestion quality issues in Cursor. Covers why AI generates wrong code, how to improve context, and systematic debugging workflows.
When AI suggestions are wrong, the cause is almost always one of these:
┌─ Context Problems (80% of issues) ───────────────────────┐
│ 1. Missing context: AI doesn't have the relevant code │
│ 2. Wrong context: AI has stale or irrelevant files │
│ 3. Too much context: context window overflow │
│ 4. No project rules: AI doesn't know your conventions │
└──────────────────────────────────────────────────────────┘
┌─ Model Problems (15% of issues) ─────────────────────────┐
│ 5. Wrong model for the task │
│ 6. Model hallucinating APIs or patterns │
└──────────────────────────────────────────────────────────┘
┌─ Prompt Problems (5% of issues) ─────────────────────────┐
│ 7. Ambiguous or vague instructions │
│ 8. Conflicting requirements in prompt │
└──────────────────────────────────────────────────────────┘
Symptom: Generated code uses React.createClass, old Express syntax, or deprecated patterns.
Root cause: Model training data includes old code. No project rules specifying versions.
Fix:
# .cursor/rules/stack-versions.mdc
---
description: "Tech stack version pinning"
globs: ""
alwaysApply: true
---
# Stack Versions (ALWAYS use these)
- React 19 with Server Components (NOT class components)
- Next.js 15 App Router (NOT Pages Router)
- TypeScript 5.7 strict mode
- Prisma 6 (NOT Sequelize or TypeORM)
- Tailwind CSS 4 (NOT styled-components)
- Node.js 22 (ESM, NOT CommonJS require())
Symptom: Generated code uses different naming, structure, or patterns than your codebase.
Root cause: AI does not have your existing code as context.
Fix: Reference your existing patterns explicitly:
@src/api/users/route.ts
Create src/api/products/route.ts following the EXACT same patterns:
same error handling, same response format, same validation approach.
Symptom: AI calls functions or uses imports that do not exist in your project or in the library.
Root cause: Model confuses similar libraries or invents plausible-sounding APIs.
Fix:
@Docs context: @Docs Prisma gives the AI real API documentationnpm run build immediately after applying@Files to show the actual module interface: @src/lib/database.tsSymptom: You ask for one thing, AI does something different.
Root cause: Context window overflow -- your instructions get pushed out by file contents.
Fix:
@ references -- each consumes context budget@Files instead of @Codebase to reduce context volumeSymptom: Tab keeps suggesting the same wrong pattern.
Root cause: Tab has limited context compared to Chat/Composer.
Fix:
Esc (trains the model)When AI output is consistently wrong:
Step 1: Check context
- Open Chat, look at context pills at top
- Are the right files included?
- Are stale files adding noise?
Step 2: Check rules
- @Cursor Rules in chat -- what rules are active?
- Do rules conflict with each other?
- Are glob patterns matching the right files?
Step 3: Test with minimal context
- Start new chat
- Add ONLY the most relevant file: @src/the-file.ts
- Ask your question with explicit constraints
- If this works, the issue was context pollution
Step 4: Test with different model
- Switch from Sonnet to Opus or GPT-5
- If better model gives better results, the task needs more reasoning power
Step 5: Check indexing
- Is the codebase indexed? (status bar shows "Indexed")
- Is the relevant file excluded by .cursorignore?
- Run Cmd+Shift+P > "Cursor: Resync Index"
Cmd+Shift+P > Developer: Toggle Developer Tools
Check the Console tab for:
Enable verbose output: Cursor Settings > search "log level" > set to "Debug"
Logs location:
~/Library/Application Support/Cursor/logs/~/.config/Cursor/logs/1. Note Cursor version: Help > About
2. Note model used (from Chat/Composer header)
3. Copy the exact prompt that produced wrong output
4. Copy the wrong output
5. List active extensions: Cmd+Shift+P > "Extensions: Show Installed"
6. Note if Privacy Mode is on (affects model behavior)
7. Report at forum.cursor.com or github.com/getcursor/cursor/issues
.cursor/rules/ for outdated or conflicting rules