My colleague had a question about a git problem and so I asked cursor to get the right syntax without modifying any git configs. It proceeded to give me the git fetch command I needed. Then it continued to unilaterally run git reset --hard origin/main and blow away hours of hard work in my active codebase.
I went back and re-read my question and there was no hint of a request to execute a command or to do anything beyond answer a question.
Running OSX
Cursor 0.48.8
Agent was claude-3.7-sonnet
Auto-run was enabled, and it seems the UI in the settings changed since I was last in there and wrote something in the auto-execute instructions like “Do not run destructive commands.” Now that box is gone and all that are left are the command whitelist and blacklist boxes, which I didn’t want to use since they’re so narrowly scoped.
It feels like there should be a safety double-check for ultra-destructive commands like rm -rf or git reset --hard.
Epilogue:
Once my blood pressure came down from near-fatal levels, I remembered the timeline for each file could be used to restore the uncommitted work. 30 minutes later, I’d recovered all my work. I am grateful for a recovery option, but other commands might not be so easy to recover from.
In another dangerous example, I asked claude-3.7 some questions about proxying websockets through nginx. It figured out that I was running nginx on the remote server I was developing on, so it decided to open the terminal and cat the answer to my question into a config file in /etc/nginx/hosts.enabled/
Guess I shouldn’t have chowned that dir to myself, but I never expected to have to treat my IDE like an adversary on my own dev server. I was saved that time by the fact that it guessed the config file name wrong and wrote its “hello world” quality config to a slightly different file.
That’s honestly user error. Auto run commands should never be enabled. But there is a command block list in settings you can set commands in to block.
CURSOR! How dare you!