Where does the bug appear (feature/product)?
Cursor IDE
Describe the Bug
Cursor silently re-injects the full text of the previous invocation of a slash command into subsequent invocations of the same command, without notifying the user and without any UI to inspect or clear it.
When a user invokes a slash command (e.g. /revisarPr) and types additional text after it (e.g. a URL or a note), that full text is persisted in aiService.prompts inside the workspace’s state.vscdb. The next time the user invokes that same slash command — even in a brand new chat, with no prior context — Cursor appends the previously saved text to the command’s content that is sent to the model under the <cursor_commands> block.
The user sees only the clean slash command in the chat input, but the model receives the old appended text as if it were part of the command definition. This causes the agent to act on stale or unrelated context (e.g. referencing a PR number from a week ago) with no way for the user to know where that context came from.
Steps to Reproduce
- Create a custom slash command at
.cursor/commands/test.mdwith any content. Confirm the file does not contain any extra notes/URLs. - Open a new chat and type:
Send it./test do something with https://example.com/foo/123 - Open a brand new chat (no shared context).
- Type only
/testand send it. - Inspect what the model actually received (e.g. ask the agent to show the full content of the
<cursor_commands>block it was given, or read the workspacestate.vscdb).
The trailing do something with https://example.com/foo/123 from step 2 will be appended to the command’s content in step 4, even though:
- The chat is new.
- The
.cursor/commands/test.mdfile does not contain that text. - The user did not type it.
To confirm where it lives, you can grep the workspace SQLite:
strings ~/.config/Cursor/User/workspaceStorage/<workspace-hash>/state.vscdb-wal | grep aiService.prompts
The previous prompt text appears stored there with "commandType":4.
Expected Behavior
A slash command invocation should send to the model exactly:
- The contents of the
.cursor/commands/<name>.mdfile. - Plus whatever text the user types in the current input, in the current chat.
It should NOT include text the user typed in a previous chat. If Cursor wants to keep a recent-prompts feature for autocomplete/MRU purposes, that history should:
- Be visible to the user (e.g. shown as a suggestion they can accept or dismiss).
- Never be silently injected into the model’s context.
- Have a clear way to be cleared from the UI.
Operating System
Linux
Version Information
Version: 3.1.17
VSCode Version: 1.105.1
Commit: fce1e9ab7844f9ea35793da01e634aa7e50bce90
Date: 2026-04-19T19:33:58.189Z
Layout: editor
Build Type: Stable
Release Track: Default
Electron: 39.8.1
Chromium: 142.0.7444.265
Node.js: 22.22.1
V8: 14.2.231.22-electron.0
OS: Linux x64 6.8.0-111-generic
For AI issues: which model did you use?
Sonnet 4.6 and Composer 2 fast
Additional Information
- OS: Linux (Ubuntu 22.04, kernel 6.8.0-111-generic)
- Storage location of the issue:
~/.config/Cursor/User/workspaceStorage/<workspace-hash>/state.vscdb, keyaiService.prompts. - Workaround currently required: close Cursor and manually edit the SQLite database to remove the stale entry. There is no UI affordance for this.
- Security/privacy concern: this can leak data across chats. If a user once typed a private URL, an internal token, or a sensitive note alongside a slash command, that text gets silently re-sent to the model in every future invocation of that command — potentially in unrelated chats, potentially shared with teammates if commands or chats are shared.
- Discoverability concern: because the injected text appears inside the
<cursor_commands>block (which the user cannot see), users will assume the appended content is part of the command file itself and may spend significant time trying to “fix” a command file that is actually clean on disk.
Does this stop you from using Cursor
Sometimes - I can sometimes use Cursor