I’m writing to report a serious incident while emphasizing upfront that Cursor has been transformational for me. As someone transitioning from systems management to programming, Cursor has enabled me to create projects I never could have built alone. This report comes from a place of wanting to help make Cursor even better and safer.
What Happened
On May 27, 2025, during a chat session, the AI assistant executed rm -rf ~/ which deleted my entire home directory, including an active AI code assistant project representing about 6 hours of recent development work.
Why I’m Reporting This
Safety First: This highlights a critical gap that could affect other users
Fair Resolution: I believe in addressing issues constructively when they occur
Community Benefit: This can drive improvements for everyone
What I’m Seeking
Acknowledgment: Recognition that this was a significant technical issue
Fair Compensation: Account credit commensurate with ~6 hours of lost development work
Safety Improvements: Implementation of safeguards for destructive commands
My Approach
I want to be clear: I’m not seeking legal action or public criticism. I’ve prepared comprehensive technical documentation of the incident and have attempted to reach support via [email protected] but haven’t received a response yet.
I believe this can be resolved fairly and used as a learning opportunity to make Cursor even better for everyone.
Technical Evidence Available
I have detailed documentation including:
Complete bash history showing the rm -rf ~/ command execution
System logs and recovery attempts
Evidence of the project structure that was lost
Complete incident timeline
Why This Matters
No AI assistant should be able to execute system-destructive commands without explicit, informed consent. This kind of safeguard would protect all users while maintaining Cursor’s incredible capabilities.
I genuinely love what you’ve built and want to see it succeed. I’m happy to provide any additional information needed and participate in discussions about safety improvements.
This is great advice and I will implement it immediately. If it isn’t totally obvious yet I am, what some may refer to as, a newb. So any advice is welcome. I really appreciate you helping me grow, thank you.
I highly doubt Cursor will do anything to fix your mistake. You need to backup your work for incidents just like this. Cursor should NOT have to pay for your mistakes.
When you engage with AI, Cursor has no control over what the models spit out. My 2 cents and sorry about your issue.
Thank you for your feed back. I agree that I should have been backing up more often; however, I still hope that Cursor looks into this and determines if there is a feasible solution that prevents this from happening to others without reducing the autonomy we currently enjoy.
Hi @RedIron78 , as a long term Cursor user and forum member I will answer some of your points. Please note that this is not to assign blame, but to check and compare what can be done and what are limits.
Enabling Auto-run means that you must make sure to prevent permanent issues.
Cursor provides an option for allow list and deny list of terminal calls. Note that this is not 100% protection, but prevents most such similar issues.
Additionally you have the setting to restrict access for AI outside of the project folder.
Also you can enable deletion prevention in settings.
AIs are known for hallucinations, mistakes or for trying workarounds if something doesnt work. They may misinterpret information and with this continue on their task.
Auto mode works better with well written Cursor Rules for the task requirements, detailed .cursorrules (User Rules) and similar info which guides AI to what it should do.
It is important to provide a limited exposure environment for the Agent so it does not wreck other important things.
You can ask AI to commit the changes and even push them to remote git server (github or others)
Containerizing/Dockerizing or running Cursor in a Virtual Machine is sure safer for such an automation since AI’s have not yet been properly trained by Anthropic, Google etc. to distinguish between what is appropriate or not.
As other mentioned Cursor provides access to the AI models and the task orchestration within their Agent plus the IDE as features assisting in that. The AI output is dependent on many factors (attached rules, files, prompt, … but also context length etc…), most of which are outside Cursors direct influence as user choses them.
I recommend to read Cursor docu, as this helps to understand how which part works and what its limitations are.
Questions;
Have you by any chance created a project in ~/ directly? (the prevention of leaving current project would not apply in this case)
Could you share your OS and Cursor version?
Overall while Cursor has to find ways to make things safer, there are only so many protections they can apply. By looking at the settings they provided over last months several new such preventions and will likely do more when something is clear how it could be improved.
Personally I would assess that you made choices that affected your files. While it is sure sad to see the issue happening, I do not see how this would be prevented by Cursor for now.
Let me know if you think something should be clarified in the Docu or what alternative solutions you recommend.
You should look and read the documentation on https://docs.cursor.com , it will help you a lot and I bet you will learn a thing or two easy ! That’s what I done at first when I started using cursor
@t1000 Wow, I really appreciate the time and effort you obviously spent on this response. I am on the most current version of Ubuntu 24.? (Not at my system right now) My current version of cursor is ~2 weeks old. I got a popup saying there is a new version but nothing happens when I “click” on it.
I did not put anything directly in my root there is always at least one folder (is that the right term in Linux?) before I start a project for example ~/user/projects/project_name
I will definitely spend more time learning and implementing dockers and virtual machines. Thanks for that.
I did not have anything in my exclusions options. I do now.
The auto implementation option was on for some things not others. In this case I had asked the ai to remove the unnecessary test scripts from the project folder. It asked permission before deleting files and I was approving them it had already deleted a few when it asked me to remove one and ran the rm command.
Fortunately I was able to do a partial drive recovery that included the complete command execution sequence and other pertinent information and included that in my email to cursor.
Your response was very well structured and did not feel “blamey” at all. My goal is to grow and you helped me with that, thank you!
Thank you for the insight into your process. I think that there are similar issues for other users and it may help them understand the limits and possibilities with AI in Auto-run mode.
Yes even when getting asked by AI to confirm an action it can happen that we by mistake approve either a code change or a deletion. I guess we have to wait a bit more for ‘smarter’ AI
