Describe the Bug
I have a rather large Denylist set up that i don’t want the Agent to run – Because i want it to be able to run toolcalls automatically. I have NPM on the denylist because it gets super annoying when cursor tries to spin up my server when i dont want it to.. however just recently it somehow found a way to bypass this by doing “API_ENABLED=true npm start” and it somehow started NPM by doing that, which makes no sense to me – however i figured i would point this out as it seems like a pretty big security issue.
41aaf36a-917b-4a30-90cf-323618bed5aa
Cheers
Steps to Reproduce
Not sure how to reproduce.
Expected Behavior
To not have my blacklist bypassed.
Operating System
Linux
Current Cursor Version (Menu → About Cursor → Copy)
Version: 1.2.1
VSCode Version: 1.99.3
Commit: 031e7e0ff1e2eda9c1a0f5df67d44053b059c5d0
Date: 2025-07-03T06:13:13.763Z
Electron: 34.5.1
Chromium: 132.0.6834.210
Node.js: 20.19.0
V8: 13.2.152.41-electron.0
OS: Linux x64 6.14.6-109.bazzite.fc42.x86_64
Does this stop you from using Cursor
No - Cursor works, but with this issue