SUS
sus
guides

Cursor

Integrate sus with Cursor hooks to automatically scan packages installed by AI agents

Cursor's hooks system lets you intercept and control agent actions. By using the beforeShellExecution hook, you can automatically route all package installations through sus for security scanning.

Why Use Hooks?

When AI agents install packages autonomously, they don't verify package integrity or check for known vulnerabilities. This makes them vulnerable to:

  • Typosquatting - installing lodashs instead of lodash
  • Supply chain attacks - compromised packages like event-stream
  • Malicious install scripts - packages that execute code during installation

With sus hooks, every npm install, yarn add, pnpm add, or bun add command is intercepted and routed through sus first.

Prerequisites

Setup

Choose one of the two options below. The script-based approach is recommended for production use.

Option A: Script-Based Hook (Recommended)

This approach uses a bash script for fast, deterministic behavior.

1. Create the hooks configuration

Create .cursor/hooks.json in your project root:

JSON
{
  "version": 1,
  "hooks": {
    "beforeShellExecution": [
      {
        "command": ".cursor/hooks/sus-gateway.sh",
        "matcher": "npm|yarn|pnpm|bun"
      }
    ]
  }
}

2. Create the hook script

Create .cursor/hooks/sus-gateway.sh:

Bash
#!/bin/bash
input=$(cat)
cmd=$(echo "$input" | jq -r '.command')
 
# Match install commands with packages
if [[ "$cmd" =~ ^(npm\ (i|install|add)|yarn\ add|pnpm\ (add|i)|bun\ (add|i))\ (.+)$ ]]; then
  pkg="${BASH_REMATCH[4]}"
  jq -n --arg p "$pkg" '{continue:true, permission:"deny", agent_message:"Use `sus add \($p)` instead."}'
elif [[ "$cmd" =~ ^(npm\ (uninstall|rm)|yarn\ remove|pnpm\ (rm|remove)|bun\ (rm|remove))\ (.+)$ ]]; then
  pkg="${BASH_REMATCH[4]}"
  jq -n --arg p "$pkg" '{continue:true, permission:"deny", agent_message:"Use `sus remove \($p)` instead."}'
else
  echo '{"continue":true,"permission":"allow"}'
fi

3. Make it executable and restart Cursor

Bash
chmod +x .cursor/hooks/sus-gateway.sh

Then restart Cursor to load the hook.

Option B: Prompt-Based Hook (Zero Code)

This approach uses Cursor's built-in LLM evaluationβ€”no script needed. Trade-off: adds slight latency per command.

Create .cursor/hooks.json in your project root:

JSON
{
  "version": 1,
  "hooks": {
    "beforeShellExecution": [
      {
        "type": "prompt",
        "prompt": "If this command installs a package (npm install <pkg>, yarn add <pkg>, pnpm add <pkg>, bun add <pkg>), deny and tell the agent to use 'sus add <package>' instead. Allow bare 'npm install' or non-install commands.",
        "matcher": "npm|yarn|pnpm|bun"
      }
    ]
  }
}

Restart Cursor to load the hook. No script file needed.

How It Works

When the Cursor agent tries to run a package install command:

100%
  1. Agent attempts npm install express
  2. Hook intercepts and denies the command
  3. Hook tells the agent to use sus add express instead
  4. sus scans the package for vulnerabilities
  5. If safe, sus installs using your detected package manager

Command Mapping

The hook intercepts these commands and routes them through sus:

Original Commandsus Equivalent
npm install pkgsus add pkg
npm i pkgsus add pkg
yarn add pkgsus add pkg
pnpm add pkgsus add pkg
bun add pkgsus add pkg
npm uninstall pkgsus remove pkg
yarn remove pkgsus remove pkg

Commands without specific packages (like npm install to install from package.json) are allowed through.

Testing the Integration

Ask Cursor to install a package:

Text
Install the express package

You should see the hook intercept the command and instruct the agent to use sus instead:

Bash
πŸ” checking express@4.21.0...
βœ… not sus
   β”œβ”€ publisher: expressjs (verified)
   β”œβ”€ downloads: 32M/week
   β”œβ”€ cves: 0
   └─ install scripts: none
πŸ“¦ installed
πŸ“ updated AGENTS.md docs index

Global Configuration

To apply sus hooks to all your projects, create the configuration in your home directory:

Bash
mkdir -p ~/.cursor/hooks

Create ~/.cursor/hooks.json:

JSON
{
  "version": 1,
  "hooks": {
    "beforeShellExecution": [
      {
        "command": "./hooks/sus-gateway.sh",
        "matcher": "npm|yarn|pnpm|bun"
      }
    ]
  }
}

Then copy the hook script to ~/.cursor/hooks/sus-gateway.sh.

Troubleshooting

Hook not triggering

  1. Verify the hook file exists at .cursor/hooks.json
  2. Check that the script is executable: chmod +x .cursor/hooks/sus-gateway.sh
  3. Restart Cursor after making changes
  4. Check Cursor Settings > Hooks tab for debug info

Script errors

Test the script manually:

Bash
echo '{"command": "npm install express", "cwd": "/tmp"}' | .cursor/hooks/sus-gateway.sh

Expected output:

JSON
{"continue":true,"permission":"deny","agent_message":"Use `sus add express` instead."}

jq not found

The script requires jq for JSON parsing. Install it:

Bash
# macOS
brew install jq
 
# Ubuntu/Debian
sudo apt-get install jq
 
# Windows (with chocolatey)
choco install jq

Next Steps