How to add Open Code Review to Cursor
AI code quality gate that detects hallucinated imports, stale APIs, over-engineering, and security anti-patterns in AI-generated code. Paste the config into ~/.cursor/mcp.json and restart Cursor.
Last updated June 14, 2026 · 27★ · stdio · no auth
Cursor config for Open Code Review
npx -y @opencodereview/mcp-server{
"mcpServers": {
"open-code-review": {
"command": "npx",
"args": [
"-y",
"@opencodereview/mcp-server"
]
}
}
}Setup steps
- 1Open Cursor → Settings → MCP → Add new MCP server (or edit ~/.cursor/mcp.json directly).
- 2Paste the Open Code Review config below into the "mcpServers" object.
- 3Fill in placeholder secrets, then save.
- 4Cursor reloads MCP servers automatically — check Settings → MCP for a green status dot.
- 5Ask Cursor to use one of Open Code Review's tools to confirm it's connected.
Before you start
- Node.js with npx available
- Optional: a local LLM via Ollama (e.g. qwen3-coder) or any OpenAI-compatible API endpoint for L3 deep scan and auto-fix
What Open Code Review can do in Cursor
ocr_scanRun a code quality gate scan over source files to detect hallucinated imports, stale APIs, over-engineering, and security anti-patterns.
ocr_healAI auto-fix — automatically generate and apply fixes for the issues OCR finds.
ocr_explainExplain a detected issue in detail, describing why it was flagged.
Security
Analysis can be run fully locally via Ollama so source code never leaves your machine. If you configure an OpenAI-compatible remote LLM provider instead, code snippets are sent to that provider for the deep-scan (L3) and heal layers. The package is licensed BUSL-1.1 (free for personal/non-commercial use; commercial use requires a Team or Enterprise license).
Open Code Review + Cursor FAQ
Where is the Cursor config file?
Cursor reads MCP servers from ~/.cursor/mcp.json. Paste the Open Code Review config there under the "mcpServers" key and restart the client.
Is Open Code Review safe to use with Cursor?
Analysis can be run fully locally via Ollama so source code never leaves your machine. If you configure an OpenAI-compatible remote LLM provider instead, code snippets are sent to that provider for the deep-scan (L3) and heal layers. The package is licensed BUSL-1.1 (free for personal/non-commercial use; commercial use requires a Team or Enterprise license).
Does my code get sent to the cloud?
Not necessarily. You can run analysis 100% locally with Ollama, in which case nothing leaves your machine. Code is only sent to a remote provider if you explicitly configure an OpenAI-compatible endpoint for the deep-scan or heal layers.
Which AI clients does the MCP server work with?
Any MCP-compatible client. The README documents Claude Desktop, Cursor, Windsurf, and VS Code Copilot using the same npx-based configuration.
What languages are supported?
Six: TypeScript/JavaScript, Python, Java, Go, and Kotlin, with hallucinated-package verification against npm, PyPI, Maven, and Go modules.