Where does the bug appear (feature/product)?
Cursor IDE
Describe the Bug
The Agent wrote and executed a Node.js packaging script that recursively deleted my personal Obsidian vault folder without warning or explicit consent.
I asked the Agent to rename two GitHub repos and create a GitHub Release zip that extracts as “Light Life”. The Agent ran:
node “+/scripts/package-starter-release.mjs” --source ../light-life-starter --zip --version v0.1.0
The script’s default output path was my live dev vault folder (../Light Life — same path I work in daily). Before copying starter files, it ran:
fs.rmSync(outDir, { recursive: true, force: true })
This wiped my entire vault: .git, daily notes, projects, inbox captures, area tasks, and personalization files.
The Agent did not explain that the command would delete my folder. I would have refused if I had known.
After the wipe, the Agent “restored” by cloning my private GitHub repo (light-life-own). That repo only contained the initial system scaffold — personal content was intentionally gitignored and had never been pushed. The restore looked successful but personal data was gone.
Impact: permanent loss of local-only personal vault data (projects, tasks, dailies, inbox) unless recoverable from Google Drive version history.
Steps to Reproduce
-
Open Cursor IDE Agent mode on a real project with personal/local-only data (e.g. Obsidian vault with .gitignore excluding user content folders).
-
Ask the Agent to create a “release zip” or package a distribution build from a sibling output folder.
-
Let the Agent write a script that:
- defaults --out to the live working directory (or a folder with the same name as the dev vault)
- calls fs.rmSync(outDir, { recursive: true }) before copying
-
Agent runs the script without:
- explaining the delete step
- asking for confirmation
- passing an explicit safe --out path
-
Observe: the live vault folder is deleted and replaced with sanitized distribution content.
-
(Optional) Agent attempts recovery by git clone — fails to restore gitignored personal files.
Reproducible pattern: Agent + destructive rmSync + default output = live user folder + no user confirmation.
Expected Behavior
-
The Agent should NOT run destructive filesystem operations (recursive delete, rm -rf, fs.rmSync on user directories) without:
- clearly stating what will be deleted
- requiring explicit user approval (“yes, delete folder X”)
-
Scripts the Agent writes should:
- never default output to the operator’s live working directory
- refuse to delete paths that look like active dev vaults (contain .git, user content folders, etc.)
- require a --confirm-delete flag before overwriting an existing directory
-
If data loss occurs, the Agent should NOT assume git clone is a valid restore when .gitignore excludes personal data — and should warn the user before replacing the folder.
-
For packaging/release tasks, the Agent should use an isolated output path (e.g. _release-pack/) and treat the live vault as read-only.
Operating System
Windows 10/11
Version Information
Version: 3.11.13 (user setup)
VS Code Extension API: 1.125.0
Commit: 3f21b08f0b436a07be29fbfe00b304fa15553350
Date: 2026-07-10T01:45:28.254Z
Layout: IDE
Build Type: Stable
Release Track: Default
Electron: 40.10.3
Chromium: 144.0.7559.236
Node.js: 24.15.0
V8: 14.4.258.32-electron.0
xterm.js: 6.1.0-beta.256
OS: Windows_NT x64 10.0.26200
For AI issues: which model did you use?
Auto
For AI issues: add Request ID with privacy disabled
35cbd442-fab8-4bd8-82c5-af753cfdab52
Additional Information
Project context:
- Personal Obsidian vault at: C:\Users-—\Obsidian\Light Life
- Distribution sibling: light-life-starter
- Script involved: +/scripts/package-starter-release.mjs (written by Agent in prior session)
Dangerous code pattern (Agent-authored): - Default outDir resolved to ../Light Life (operator dev vault)
- fs.rmSync(outDir, { recursive: true, force: true }) before copy
Recovery attempt made things worse: - Agent renamed overwritten folder to Light-Life-packaged-starter-backup
- Agent ran: git clone https://github.com/-----light-life-own.git “Light Life”
- GitHub repo had only 1 commit (system scaffold); personal data was .gitignore’d locally
Data lost (local-only, not on GitHub): - 01 Daily/, 02 Inbox/, 03 Projects/, 04 Areas/ tasks, 05 Knowledge/, personalization/
User had NOT consented to folder deletion — only agreed to repo rename and release zip.
Suggested product fixes:
- Agent policy: block or require approval for rmSync / rm -rf / recursive delete on workspace paths
- Agent should surface “THIS WILL DELETE …” before running destructive shell commands
- Safer defaults for any script that writes output directories
I have since patched the script locally with path guards (safe-output-path.mjs), but the Agent behavior issue remains.
Does this stop you from using Cursor
No - Cursor works, but with this issue