Hello,
We run coding agents inside remote sandboxes: VMs with their outbound traffic filtered so a prompt-injected or misbehaving agent can’t exfiltrate data or reach disallowed hosts. The whole thing rests on one assumption: every network call the agent makes leaves from the VM.
In cursor, over Remote-SSH, it doesn’t. Commands in the remote terminal run on the host, so those are filtered. But every other way the agent reaches the internet (built-in web search, fetch-URL, MCP tools) is performed by the IDE or by your backend(?), not the VM. The request to the destination never starts from the VM, so our sandboxing egress filter never sees it and it would make we can’t inspect or restrict what the agent sends out. If a secret is into a fetch URL or a search query, it leaves through a path we don’t control (the ssh connection).
The solution today is for us to use the cursor-agent CLI. But we do love the IDE experience in Remote-SSH mode in Cursor.
Solving this means that every internet request the agent can trigger has to egress from the remote VM, so it falls under that machine’s network policy, the way the remote terminal is meant to. Run the agent and its tools on the remote. And for anything you fetch server-side on the agent’s behalf (web search, say), let us route it through the VM or turn it off. Otherwise it’s the same uncontrolled exit.
BTW, it’s possible Cursor already has a solution for this and I completely missed it.