Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

hookdeck/cursor-webhooks

Name: cursor-webhooks
Author: hookdeck

skills/cursor-webhooks/SKILL.md

npx skillsauth add hookdeck/webhook-skills cursor-webhooks

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Cursor Webhooks

When to Use This Skill

Setting up Cursor Cloud Agent webhook handlers
Debugging signature verification failures
Understanding Cursor webhook event types and payloads
Handling Cloud Agent status change events (ERROR, FINISHED)

Essential Code (USE THIS)

Cursor Signature Verification (JavaScript)

const crypto = require('crypto');

function verifyCursorWebhook(rawBody, signatureHeader, secret) {
  if (!signatureHeader || !secret) return false;

  // Cursor sends: sha256=xxxx
  const [algorithm, signature] = signatureHeader.split('=');
  if (algorithm !== 'sha256') return false;

  const expected = crypto
    .createHmac('sha256', secret)
    .update(rawBody)
    .digest('hex');

  try {
    return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
  } catch {
    return false;
  }
}

Express Webhook Handler

const express = require('express');
const app = express();

// CRITICAL: Use express.raw() - Cursor requires raw body for signature verification
app.post('/webhooks/cursor',
  express.raw({ type: 'application/json' }),
  (req, res) => {
    const signature = req.headers['x-webhook-signature'];
    const webhookId = req.headers['x-webhook-id'];
    const event = req.headers['x-webhook-event'];

    // Verify signature
    if (!verifyCursorWebhook(req.body, signature, process.env.CURSOR_WEBHOOK_SECRET)) {
      console.error('Cursor signature verification failed');
      return res.status(401).send('Invalid signature');
    }

    // Parse payload after verification
    const payload = JSON.parse(req.body.toString());

    console.log(`Received ${event} (id: ${webhookId})`);

    // Handle status changes
    if (event === 'statusChange') {
      console.log(`Agent ${payload.id} status: ${payload.status}`);

      if (payload.status === 'FINISHED') {
        console.log(`Summary: ${payload.summary}`);
      } else if (payload.status === 'ERROR') {
        console.error(`Agent error for ${payload.id}`);
      }
    }

    res.json({ received: true });
  }
);

Python Signature Verification (FastAPI)

import hmac
import hashlib
from fastapi import Request, HTTPException

def verify_cursor_webhook(body: bytes, signature_header: str, secret: str) -> bool:
    if not signature_header or not secret:
        return False

    # Cursor sends: sha256=xxxx
    parts = signature_header.split('=')
    if len(parts) != 2 or parts[0] != 'sha256':
        return False

    signature = parts[1]
    expected = hmac.new(
        secret.encode(),
        body,
        hashlib.sha256
    ).hexdigest()

    # Timing-safe comparison
    return hmac.compare_digest(signature, expected)

Common Event Types

| Event Type | Description | Common Use Cases | |------------|-------------|------------------| | statusChange | Agent status changed | Monitor agent completion, handle errors |

Event Payload Structure

{
  "event": "statusChange",
  "timestamp": "2024-01-01T12:00:00.000Z",
  "id": "agent_123456",
  "status": "FINISHED",  // or "ERROR"
  "source": {
    "repository": "https://github.com/user/repo",
    "ref": "main"
  },
  "target": {
    "url": "https://github.com/user/repo/pull/123",
    "branchName": "feature-branch",
    "prUrl": "https://github.com/user/repo/pull/123"
  },
  "summary": "Updated 3 files and fixed linting errors"
}

Environment Variables

# Your Cursor webhook signing secret
CURSOR_WEBHOOK_SECRET=your_webhook_secret_here

Local Development

For local webhook testing, install Hookdeck CLI:

Then start the tunnel:

npx hookdeck-cli listen 3000 cursor --path /webhooks/cursor

No account required. Provides local tunnel + web UI for inspecting requests.

Resources

overview.md - What Cursor webhooks are, event types
setup.md - Configure webhooks in Cursor dashboard
verification.md - Signature verification details and gotchas
examples/ - Runnable examples per framework

Recommended: webhook-handler-patterns

For production-ready webhook handling, also use the webhook-handler-patterns skill:

Handler sequence
Idempotency
Error handling
Retry logic

Related Skills

stripe-webhooks - Stripe webhook handling
github-webhooks - GitHub webhook handling
shopify-webhooks - Shopify webhook handling
openai-webhooks - OpenAI webhook handling
webhook-handler-patterns - Idempotency, error handling, retry logic
hookdeck-event-gateway - Webhook infrastructure that replaces your queue — guaranteed delivery, automatic retries, replay, rate limiting, and observability for your webhook handlers

hookdeck/cursor-webhooks

skills/cursor-webhooks/SKILL.md

Receive and verify Cursor Cloud Agent webhooks. Use when setting up Cursor webhook handlers, debugging signature verification, or handling Cloud Agent status change events (ERROR, FINISHED).

70 stars

development

Updated May 15, 2026

$ install --global

skillsauth

npx skillsauth add hookdeck/webhook-skills cursor-webhooks

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 15, 2026, 7:53 AM185.3s17 files scanned

SKILL.md

name:: cursor-webhooks
description:: >
license:: MIT
author:: hookdeck
version:: 0.1.0
repository:: https://github.com/hookdeck/webhook-skills

Cursor Webhooks

When to Use This Skill

Setting up Cursor Cloud Agent webhook handlers
Debugging signature verification failures
Understanding Cursor webhook event types and payloads
Handling Cloud Agent status change events (ERROR, FINISHED)

Essential Code (USE THIS)

Cursor Signature Verification (JavaScript)

const crypto = require('crypto');

function verifyCursorWebhook(rawBody, signatureHeader, secret) {
  if (!signatureHeader || !secret) return false;

  // Cursor sends: sha256=xxxx
  const [algorithm, signature] = signatureHeader.split('=');
  if (algorithm !== 'sha256') return false;

  const expected = crypto
    .createHmac('sha256', secret)
    .update(rawBody)
    .digest('hex');

  try {
    return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
  } catch {
    return false;
  }
}

Express Webhook Handler

const express = require('express');
const app = express();

// CRITICAL: Use express.raw() - Cursor requires raw body for signature verification
app.post('/webhooks/cursor',
  express.raw({ type: 'application/json' }),
  (req, res) => {
    const signature = req.headers['x-webhook-signature'];
    const webhookId = req.headers['x-webhook-id'];
    const event = req.headers['x-webhook-event'];

    // Verify signature
    if (!verifyCursorWebhook(req.body, signature, process.env.CURSOR_WEBHOOK_SECRET)) {
      console.error('Cursor signature verification failed');
      return res.status(401).send('Invalid signature');
    }

    // Parse payload after verification
    const payload = JSON.parse(req.body.toString());

    console.log(`Received ${event} (id: ${webhookId})`);

    // Handle status changes
    if (event === 'statusChange') {
      console.log(`Agent ${payload.id} status: ${payload.status}`);

      if (payload.status === 'FINISHED') {
        console.log(`Summary: ${payload.summary}`);
      } else if (payload.status === 'ERROR') {
        console.error(`Agent error for ${payload.id}`);
      }
    }

    res.json({ received: true });
  }
);

Python Signature Verification (FastAPI)

import hmac
import hashlib
from fastapi import Request, HTTPException

def verify_cursor_webhook(body: bytes, signature_header: str, secret: str) -> bool:
    if not signature_header or not secret:
        return False

    # Cursor sends: sha256=xxxx
    parts = signature_header.split('=')
    if len(parts) != 2 or parts[0] != 'sha256':
        return False

    signature = parts[1]
    expected = hmac.new(
        secret.encode(),
        body,
        hashlib.sha256
    ).hexdigest()

    # Timing-safe comparison
    return hmac.compare_digest(signature, expected)

Common Event Types

| Event Type | Description | Common Use Cases | |------------|-------------|------------------| | statusChange | Agent status changed | Monitor agent completion, handle errors |

Event Payload Structure

{
  "event": "statusChange",
  "timestamp": "2024-01-01T12:00:00.000Z",
  "id": "agent_123456",
  "status": "FINISHED",  // or "ERROR"
  "source": {
    "repository": "https://github.com/user/repo",
    "ref": "main"
  },
  "target": {
    "url": "https://github.com/user/repo/pull/123",
    "branchName": "feature-branch",
    "prUrl": "https://github.com/user/repo/pull/123"
  },
  "summary": "Updated 3 files and fixed linting errors"
}

Environment Variables

# Your Cursor webhook signing secret
CURSOR_WEBHOOK_SECRET=your_webhook_secret_here

Local Development

For local webhook testing, install Hookdeck CLI:

Then start the tunnel:

npx hookdeck-cli listen 3000 cursor --path /webhooks/cursor

No account required. Provides local tunnel + web UI for inspecting requests.

Resources

overview.md - What Cursor webhooks are, event types
setup.md - Configure webhooks in Cursor dashboard
verification.md - Signature verification details and gotchas
examples/ - Runnable examples per framework

Recommended: webhook-handler-patterns

For production-ready webhook handling, also use the webhook-handler-patterns skill:

Handler sequence
Idempotency
Error handling
Retry logic

Related Skills

stripe-webhooks - Stripe webhook handling
github-webhooks - GitHub webhook handling
shopify-webhooks - Shopify webhook handling
openai-webhooks - OpenAI webhook handling
webhook-handler-patterns - Idempotency, error handling, retry logic
hookdeck-event-gateway - Webhook infrastructure that replaces your queue — guaranteed delivery, automatic retries, replay, rate limiting, and observability for your webhook handlers

Related Skills

hookdeck/vercel-webhooks

development

VerifiedTrustedCommunity

Receive and verify Vercel webhooks. Use when setting up Vercel webhook handlers, debugging signature verification, or handling deployment events like deployment.created, deployment.succeeded, or project.created.

72SKILL.mdUpdated Jun 6, 2026

hookdeck/vercel-webhooks

hookdeck/twilio-webhooks

development

VerifiedTrustedCommunity

Receive and verify Twilio webhooks. Use when setting up Twilio webhook handlers, debugging X-Twilio-Signature verification, or handling communications events like incoming SMS, voice calls, message status callbacks (delivered, failed), or recording status callbacks.

72SKILL.mdUpdated Jun 6, 2026

hookdeck/twilio-webhooks

hookdeck/stripe-webhooks

development

VerifiedTrustedCommunity

Receive and verify Stripe webhooks. Use when setting up Stripe webhook handlers, debugging signature verification, or handling payment events like payment_intent.succeeded, customer.subscription.created, or invoice.paid.

72SKILL.mdUpdated Jun 6, 2026

hookdeck/stripe-webhooks

hookdeck/slack-webhooks

development

VerifiedTrustedCommunity

Receive and verify Slack Events API webhooks. Use when setting up Slack webhook handlers, debugging Slack signature verification, handling the url_verification challenge, or processing events like app_mention, message, reaction_added, team_join, or app_home_opened.

72SKILL.mdUpdated Jun 6, 2026

hookdeck/slack-webhooks

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/hookdeck/webhook-skills.git

# Copy into Claude Code skills folder (global)
cp -r webhook-skills/skills/cursor-webhooks ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

hookdeck/webhook-skills

70 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT