I didn’t even realize Cursor had full shell access to all the files on my computer (opened root as my workspace). The command allowlist not blocking anything at all is a terrible default, and should be made more clear, at the least, but really changed to the prior default (an actual allowlist in your shell).
Setting “Auto-Run Mode” = “Auto-Run in Sandbox” has a useless “Command Allowlist”. It still allows any commands in your workspace. The setting for “Legacy Terminal Tool” = on, and “Auto-Run Mode” = “Use Allowlist” respects the whitelist
Making allowlist a legacy feature instead of an active feature is ridiculous for an AI agent. And you should not be tricked into thinking it’s a shell command allowlist, when it’s really a network-only shell command allowlist. It’s not a good solution to ask people to approve every command either, because that’s not agentic at all. And even if the default was some weird and useless allowlist, you shouldn’t have to do research to set one up
By default, Cursor uses “Auto-Run in Sandbox” mode. In this mode, the sandbox keeps things contained by confining the agent to your workspace. Commands that run within the sandbox do not prompt.
Opening / as your workspace kind of breaks the safety model here. The sandbox boundary is the workspace. When the workspace is your entire filesystem, “confined to workspace” doesn’t mean much.
Is there something specific you’re worried about with the defaults when the workspace is confined to a single directory of source code, rather than your whole machine?
Thank you for your help. I have more concerns than time to explain.
If Google has a monorepo, you’re okay with 3 trillion dollars of value in 1 workspace?
How many times do you think is too many for an engineer to switch workspaces per day?
Are you going to leave “whitelist” that does not whitelist, without clarifying in settings?
Are you going to call something a sandbox that does not actually have any guarantees about isolation, including running arbitrary binaries that can do anything and also accessing the full internet? Are you using heuristics instead of OS to implement the sandbox (please tell me not AI)?
Are you okay with AI deleting files and destroying code by default?