Skip to content

ONode/cursortoolsmonkey

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
skills
skills
 
 
userscript
userscript
 
 
readme.md
readme.md
 
 

Repository files navigation

Cursor Tools Monkey

A small toolkit for building Tampermonkey / Violentmonkey userscripts that extend the Cursor web dashboard. The repo includes a working script plus reference guides for userscript development on modern SPAs.

What it does

The main script, Cursor My Manager, runs on the Cursor settings page and adds a read-only Auth Token field to the Student Verification section.

When you visit:

https://cursor.com/dashboard/settings

the script:

  1. Waits for the Student Verification section to load (React/SPA-safe).
  2. Injects a dashboard row styled like the existing Profile fields.
  3. Reads the WorkosCursorSessionToken cookie from cursor.com.
  4. Displays the token in a disabled input with id="auth-token".

This makes the session token visible without opening DevTools → Application → Cookies.

Why a userscript?

Cursor stores the session in an HttpOnly cookie named WorkosCursorSessionToken. Normal page JavaScript cannot read it via document.cookie. Tampermonkey’s cookie API (GM.cookie.list) can, which is why the script requests that permission.

The token format is typically:

user_id%3A%3Ajwt_token

(%3A%3A is the URL-encoded form of ::.)

Project structure

cursortoolsmonkey/
├── userscript/
│   └── cursor.js          # Main Tampermonkey script
├── skills/
│   ├── guide1.md          # Userscript fundamentals & metadata
│   ├── guide2.md          # MutationObserver patterns for SPAs
│   └── guide3.md          # ResizeObserver techniques
└── readme.md
Path Purpose
userscript/cursor.js Production script injected on the Cursor dashboard
skills/guide1.md Beginner → advanced userscript concepts, metadata block, GM APIs
skills/guide2.md waitForElement, SPA navigation, dynamic DOM handling
skills/guide3.md Layout/size observation for injected UI

The skills/ folder is reference material used while building and reviewing scripts in this repo. It is not loaded by the userscript itself.

Installation

  1. Install a userscript manager:

    • Tampermonkey (Chrome, Firefox, Edge, Safari)
    • or Violentmonkey

  2. Create a new script and paste the contents of userscript/cursor.js.

  3. Save and enable the script.

  4. Open cursor.com/dashboard/settings while logged in.

  5. If prompted, allow the script to access cookies for cursor.com.

You should see an Auth Token row below Student Status inside the Student Verification card.

How the script works

Page targeting

// @match  https://cursor.com/dashboard/settings
// @match  https://cursor.com/dashboard/settings?*   // required when URL has ?query=params
// @match  https://cursor.com/dashboard/settings/*

The script only runs on the dashboard settings page. @match compares against path + query string, so a URL like .../settings?from=2026-06-23 needs the ?* pattern — plain .../settings alone will not match.

DOM injection

The field is inserted into the Student Verification card’s list container:

#student-verification .dashboard-subSection-list
#student-verification .dashboard-section-list

It clones an existing .dashboard-cell row from the Profile section (preferring First Name, then Email) so the new row matches Cursor’s native UI.

Cookie retrieval

GM.cookie.list({ url: 'https://cursor.com', name: 'WorkosCursorSessionToken' })

Fallback lookups also try domain: cursor.com and domain: .cursor.com.

SPA resilience

Cursor’s dashboard is a single-page app. The script uses:

  • waitForElement — waits until the injection target exists before running.
  • MutationObserver — re-injects the field if React re-renders and removes it.

Permissions

The script requests:

Grant Why
GM.cookie Read HttpOnly cookies via GM.cookie.list() (Tampermonkey 5+)
GM_cookie Fallback for older Tampermonkey via GM_cookie.list()

No external network requests are made. The token is only read and displayed locally in the page.

Security note

HttpOnly cookies are hidden from page JavaScript on purpose. This script deliberately surfaces the session token in the DOM so you can see and copy it. That means any other script running on cursor.com could also read it if present. Use this only on accounts you trust and avoid running untrusted scripts alongside it.

Troubleshooting

Problem Likely cause
No Auth Token row appears Not logged in, or Student Verification section failed to load
Row appears but input is empty Cookie permission denied, or session expired — log in again
Field disappears briefly then returns Normal SPA re-render; the observer re-injects it
Cookie API unavailable in console @grant GM.cookie / GM_cookie missing or blocked by the manager

Check the browser console for messages prefixed with [Cursor My Manager].

Development

When editing userscript/cursor.js:

  1. Test snippets in DevTools on the live settings page first.
  2. Use the patterns in skills/guide2.md for dynamic content.
  3. Bump @version when you change the script so Tampermonkey picks up updates.

The Cursor dashboard uses div.dashboard-cell-label for labels (not HTML <label> elements) and duplicate id="student-verification" on both a wrapper and a header — the script targets the inner .dashboard-section-list to avoid placing the field in the wrong place.

License

No license file is included yet. Treat this as personal tooling unless a license is added.

About

monkeyscript for cursortool

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages