Skip to main content
Orcho analyzes your coding prompts in real-time within Cursor to identify potential security risks, dangerous operations, and safety concerns before code is generated or executed.

Features

Real-time Assessment

Analyze prompts using Orcho’s risk analysis API as you type

Context-Aware

Automatically includes file context for accurate blast radius analysis

Security First

Identifies high-risk prompts before execution

Seamless Integration

Works natively with Cursor’s Model Context Protocol

Quick Install

Click this link or paste it into your browser: 
cursor://anysphere.cursor-deeplink/mcp/install?name=orcho&config=eyJuYW1lIjoib3JjaG8iLCJ0eXBlIjoic3RkaW8iLCJjb21tYW5kIjoibnB4IiwiYXJncyI6WyIteSIsIkBvcmNob19yaXNrL21jcC1zZXJ2ZXIiXSwiZW52Ijp7Ik9SQ0hPX0FQSV9LRVkiOiJ0ZXN0X2tleV9vcmNob18xMjM0NSJ9fQ==
1

Copy the installation link

Copy the link above to your clipboard
2

Paste into browser

Paste the link into your browser’s address bar and press Enter
3

Cursor opens automatically

Cursor will open and automatically configure the MCP server
The MCP server configuration is now added to your Cursor settings
4

Update API key

Replace the test API key with your real key (see API Configuration)
5

Restart Cursor

Completely quit and reopen Cursor to activate the MCP server
The Orcho MCP server is now active!

Manual Installation

If the one-click install doesn’t work, follow these steps:
1

Install the package

Install globally via npm:
npm install -g @orcho_risk/mcp-server
2

Configure Cursor

Create or edit the MCP configuration file:
Edit ~/.cursor/mcp.json:
~/.cursor/mcp.json
{
  "mcpServers": {
    "orcho": {
      "command": "npx",
      "args": ["-y", "@orcho_risk/mcp-server"],
      "env": {
        "ORCHO_API_KEY": "your-api-key-here"
      }
    }
  }
}
3

Restart Cursor

Completely quit and reopen Cursor (not just reload window)

API Configuration

Get Your API Key

1

Contact Orcho

Email [email protected] to request an API key for your organization
2

Receive your API key

Our team will provision an API key and send it to you securely
3

Update mcp.json

Add your API key to the configuration file:
# Edit the file
nano ~/.cursor/mcp.json

# Replace test_key_orcho_12345 with your actual key
4

Restart Cursor

Quit and reopen Cursor to load the new API key

Test API Key

For initial testing, you can use the test key: 
test_key_orcho_12345
The test key has very limited functionality and rate limits. Contact [email protected] to get a production API key for your team.

Usage

Manual Risk Assessment

In Cursor chat, you can manually trigger risk assessment: 
@orcho assess_risk: Delete all records from the users table
Cursor will:
  1. Get the repository name by running get_repo_name.py
  2. Detect the currently open file
  3. Analyze which files will be modified
  4. Call the Orcho API with full context
Response format: 
⚠️ CRITICAL RISK (Score: 0.92)

Risk Factors:
- Data Sensitivity: 0.95 (CRITICAL)
- Input Clarity: 0.68 (HIGH)
- Blast Radius: 0.85 (HIGH)

Suggestions from Input Clarity:
- Add WHERE clause to limit scope
- Require explicit confirmation
- Create backup before deletion

Files Affected (from Blast Radius):
- src/database/users.py (current file)
- src/models/user.py
- src/auth/session.py
- src/api/users_endpoint.py

Recommendation: BLOCK - High risk detected
With automatic assessment enabled (using .cursor/rules/orcho-risk-assessment.mdc), you don’t need to manually type @orcho assess_risk - it happens automatically for every prompt.
Enable automatic risk assessment for all prompts by adding a Cursor rule to your project.
1

Create required directories

mkdir -p .cursor/rules
mkdir -p .cursor/scripts
2

Add the repository name script

Create .cursor/scripts/get_repo_name.py:
.cursor/scripts/get_repo_name.py
import subprocess
import urllib.parse as up

def _origin_url() -> str:
    # Prefer `git remote get-url origin`, fall back to config if needed
    for cmd in (["git", "remote", "get-url", "origin"],
                ["git", "config", "--get", "remote.origin.url"]):
        try:
            out = subprocess.check_output(cmd, text=True).strip()
            if out:
                return out
        except Exception:
            pass
    return ""

def _owner_repo_from_url(u: str) -> str:
    if not u:
        return ""

    # HTTPS/SSH URL
    if "://" in u:
        path = up.urlparse(u).path
    else:
        # SCP-like: [email protected]:OWNER/REPO.git
        if ":" in u and "@" in u.split(":", 1)[0]:
            path = u.split(":", 1)[1]
        else:
            path = u

    path = path.strip("/")
    if path.endswith(".git"):
        path = path[:-4]

    parts = [p for p in path.split("/") if p]
    return "/".join(parts[-2:]) if len(parts) ≥ 2 else path

if __name__ == "__main__":
    print(_owner_repo_from_url(_origin_url()))
This script extracts the repository name (owner/repo format) from your git remote
3

Add the Orcho risk assessment rule

Create .cursor/rules/orcho-risk-assessment.mdc:
.cursor/rules/orcho-risk-assessment.mdc
---
alwaysApply: true
---
# Orcho Risk Assessment Rule

## Automatic Risk Assessment

Before processing ANY user request (any time they send you ANYTHING), you MUST:

1. **Always call the Orcho risk assessment tool first:**
   - Use: `@orcho assess_risk` with the user's prompt
   - **CRITICAL**: You MUST include:
     - `current_file`: The path of the currently open file in the editor (check active tabs)
     - `other_files`: A list of file paths that will be modified by the prompt (analyze the prompt to determine this)
     - `repo_full_name`: A string that represents the full name of the git repository the codebase is from, which can be obtained by running "python .cursor/scripts/get_repo_name.py" within the terminal

2. **NEVER PASS THE PROMPT IN AS "task" ALL API calls must have the format:**
    ```json
    {
      "prompt": "delete my prod db",
      "context": {
        "repo_full_name": "guardd/fintech_demo_repo",
        "current_file": ".github/workflows/deploy.yml",
        "other_files": []
      }
    }
  1. Always include risk assessment in your response:
    • Show the risk level and score
    • DO NOT EXECUTE THE PROMPT
    • ALL OUTPUTS MUST NOT INCLUDE ANYTHING OTHER THAN THE RETURN THE RESULTS OF THE ASSESS_RISK FUNCTION
    • INSIDE THE RISK BREAKDOWN, THERE IS A TAB INSIDE INPUT CLARITY THAT SAYS SUGGESTIONS. INCLUDE ALL SUGGESTIONS IN YOUR RESPONSE.
    • ALWAYS INCLUDE ALL POSSIBLE FILES YOU MIGHT TOUCH, FROM BLAST RADIUS, IN THE RESPONSE

<Warning>
The `alwaysApply: true` flag ensures risk assessment happens automatically for every request
</Warning>

</Step>

<Step title="Test the setup">
Open Cursor and try a prompt:
Delete all user records from the database

Cursor should automatically:
1. Run `get_repo_name.py` to get your repository name
2. Call `@orcho assess_risk` with full context
3. Show you the risk assessment before executing anything

Cursor automatically invokes `@orcho assess_risk` with:

```json
{
  "prompt": "Delete all user data from the database",
  "context": {
    "repo_full_name": "mycompany/api-server",
    "current_file": "src/database/users.py",
    "other_files": ["src/models/user.py"]
  }
}
4

Risk analysis returned

{
  "overall_score": 0.95,
  "overall_risk_level": "critical",
  "scores": {
    "data_sensitivity": 0.98,
    "blast_radius": 0.92,
    "input_clarity": 0.85
  },
  "recommendations": [
    "BLOCK - High risk detected"
  ],
  "computations": {
    "input_clarity": {
      "suggestions": [
        "Add WHERE clause to limit scope",
        "Specify which users to delete",
        "Create backup before deletion",
        "Use soft delete instead"
      ]
    },
    "blast_radius": {
      "affected_files": [
        "src/database/users.py",
        "src/models/user.py",
        "src/auth/session.py",
        "src/api/users_endpoint.py"
      ]
    }
  }
}
5

Cursor displays to user

⚠️ CRITICAL RISK (Score: 0.95)

Risk Factors:
- Data Sensitivity: 0.98 (CRITICAL)
- Blast Radius: 0.92 (CRITICAL)
- Input Clarity: 0.85 (HIGH)

Suggestions from Input Clarity:
- Add WHERE clause to limit scope
- Specify which users to delete
- Create backup before deletion
- Use soft delete instead

Files that will be affected (from Blast Radius):
- src/database/users.py (current file)
- src/models/user.py
- src/auth/session.py
- src/api/users_endpoint.py

⚠️ This operation has been blocked due to critical risk level.

MCP Tool Parameters

The assess_risk tool uses the following structure:
prompt
string
required
The prompt or task description to assess for risk
context
object
required
Context object containing repository and file information
weights
object
Optional custom risk calculation weights for different risk factorsExample:
{
  "data_sensitivity": 0.3,
  "blast_radius": 0.4,
  "input_clarity": 0.3
}
Important: Do NOT use the deprecated task parameter. Always use prompt with context object.

Example Request

{
  "prompt": "Delete all inactive users from the database",
  "context": {
    "repo_full_name": "acme/user-service",
    "current_file": "src/services/user_cleanup.py",
    "other_files": [
      "src/models/user.py",
      "src/database/queries.py"
    ]
  },
  "weights": {
    "data_sensitivity": 0.35,
    "blast_radius": 0.40,
    "input_clarity": 0.25
  }
}

Troubleshooting

Check configuration file location:
ls -la ~/.cursor/mcp.json
cat ~/.cursor/mcp.json
Verify Node.js version:
node --version  # Requires v18 or higher
Check Cursor Developer Tools:
  1. Open Cursor
  2. Go to Help → Toggle Developer Tools
  3. Check Console tab for MCP-related errors
Invalid API Key:
  • Verify the key is correct in mcp.json
  • Ensure there are no extra spaces or quotes
  • Contact [email protected] if issues persist
Rate Limits:
  • Contact [email protected] to check your account quota
  • Request a plan upgrade if needed
  • Test key has very low limits - get a production key
No API Key: The server will use the test key by default (limited functionality)
Restart Cursor completely:
  • Quit Cursor entirely (not just close window)
  • Reopen Cursor
  • Wait 10-15 seconds for MCP server to initialize
Check internet connectivity:
curl -I https://app.orcho.ai/health
Verify package installation:
npm list -g @orcho_risk/mcp-server
Reinstall if needed:
npm uninstall -g @orcho_risk/mcp-server
npm install -g @orcho_risk/mcp-server
Ensure file is open in editor:
  • The current file must be open in a Cursor tab
  • Try clicking into the file to focus it
Check file permissions:
  • Verify Cursor can read the file
  • Check if file is in an ignored directory
Manually specify context:
@orcho assess_risk --file src/auth.py: Your prompt here

Security Best Practices

Follow these security guidelines to protect your API keys and data:
1

Store keys securely

✅ Store API keys only in ~/.cursor/mcp.json ❌ Never hardcode keys in your project files
2

Never commit keys

✅ Add mcp.json to .gitignore if you copy it to project ❌ Never commit API keys to version control
3

Rotate compromised keys

✅ Rotate keys immediately if accidentally exposed ✅ Contact [email protected] to rotate your key
4

Use environment-specific keys

✅ Different keys for development and production ✅ Limit key permissions appropriately

Advanced Configuration

Custom Risk Thresholds

Adjust automatic assessment thresholds in your Cursor rules:
.cursor/rules/orcho-custom.mdc
# Custom Risk Thresholds

## Medium Risk (0.4-0.59)
- Show warning
- Allow to proceed

## High Risk (0.6-0.79)
- Require confirmation
- Suggest alternatives

## Critical Risk (0.8+)
- Block by default
- Require strong justification

File Exclusions

Create an .aiignore file to exclude files from analysis:
.aiignore
# Dependencies
node_modules/
vendor/

# Build outputs
dist/
build/
*.min.js

# Tests
**/*.test.js
**/*.spec.ts

# Configuration
.env
.env.local

Integration with CI/CD

Use the MCP server programmatically in CI/CD: 
const { assessRisk } = require('@orcho_risk/mcp-server');

async function checkPullRequest(files, description) {
  const result = await assessRisk({
    task: description,
    other_files: files
  });
  
  if (result.overall_score >= 0.8) {
    console.error('CRITICAL RISK DETECTED');
    process.exit(1);
  }
}

Package Information

NPM Package

View on NPM registry

Version

1.0.7 (Latest)

License

MIT License

Node.js Requirement

v18.0.0 or higher

Support

Need help with the Cursor integration?

API Documentation

Review the REST API docs

Get API Key

Contact us for an API key

GitHub Issues

Report bugs or issues

Email Support

Contact support team

Next Steps

1

Install the MCP server

Use the one-click install or manual setup
2

Get your API key

Contact [email protected] to request an API key
3

Add automatic assessment

Copy the Cursor rules to your project
4

Start coding safely

Orcho will now protect you from high-risk operations