Where does the bug appear (feature/product)?
Cursor IDE
Describe the Bug
When Cursor is in Ask Mode and Auto-Run is configured as Allowlist with an empty allowlist, shell commands still execute without asking for user approval. The commands appear to run in a read-only sandbox.
This contradicts the expected behavior of Allowlist mode with an empty allowlist, where every shell command should require approval.
Steps to Reproduce
Configure Cursor Auto-Run mode to Allowlist.
Leave the allowlist empty.
Switch the chat to Ask Mode.
Ask the agent: list all changed files in git.
Observe that Cursor runs git status --short without requesting approval.
Repeat the same request. It runs again without approval.
Observed command:
git status --short
Observed result included:
SANDBOXING: This command ran in a sandbox with:
- Filesystem: Read-only access
- Network access: Limited
Expected Behavior
In Allowlist mode with an empty allowlist, Ask Mode should request approval before running any shell command, including read-only commands like git status --short.
If Cursor intentionally allows sandboxed read-only shell commands in Ask Mode, the UI/settings should make that behavior explicit.
Operating System
MacOS
Version Information
Version: 3.5.33 (Universal)
VSCode Version: 1.105.1
Commit: aac81804b986d739acab348ed96b8bea6e83cc50
Date: 2026-05-22T06:47:48.039Z
Layout: editor
Build Type: Stable
Release Track: Default
Electron: 39.8.1
Chromium: 142.0.7444.265
Node.js: 22.22.1
V8: 14.2.231.22-electron.0
OS: Darwin arm64 25.5.0
Additional Information
This appears to be Ask Mode specific. The command did not modify files, but it bypassed the expected approval gate.
Does this stop you from using Cursor
No - Cursor works, but with this issue
