Hey, thanks for the detailed report.
About the incident. What you’re describing, the agent running destructive shell commands outside the repository, is a known issue. A few important notes about the agent’s safety boundaries, so it’s clear what happened:
- External-File Protection only limits file editing and writing tools. It does not apply to terminal commands like
rm,Remove-Item,rmdir /s /q,git clean -fdx, and similar. - On macOS there’s an extra sandbox layer called Seatbelt. On Windows there’s no equivalent, so if the agent is allowed to run a command, it will run with your user permissions anywhere on the disk.
- If Auto-Run is enabled, or if a destructive command is on the allowlist, the agent will run it without confirmation.
What I recommend doing right now while you’re using Cursor on this machine:
- Turn off Auto-Run Mode in Settings → Chat → Auto-Run, or heavily restrict the Command Allowlist and remove any delete, move, or git cleanup commands.
- For risky tasks like filesystem refactors, migrations, or cleanup scripts, use Cloud Agents, a dev container, or a VM instead of a local machine with sensitive data.
- Make sure your important local folders are under Git or backed up before running the agent.
Related threads for context: The cursor completely formatted my C drive The cursor completely formatted my C drive while I was running the project, Cursor deleted files across my entire system Cursor deleted files across my entire system – critical issue, Cursor default Auto-Run Mode Command Allowlist is recklessly dangerous Cursor default "Auto-Run Mode" "Command Allowlist" is recklessly dangerous.
I can’t share an ETA for changes in this area right now.