I’m having some trouble with the agent sandbox. It seems there’s currently no reliable way to whitelist commands for the agent.
Even though certain commands aren’t included in the allow list, the agent can still execute them — including destructive ones like rm -rf inside the workspace. That’s quite concerning, since local files not tracked in Git might still be important, and right now I don’t see a way to fully prevent this.
Unless I’m missing something, the behavior feels inconsistent:
With the sandbox off, I have to manually allow every command.
With the sandbox on, the allow list exists but doesn’t appear to be strictly enforced.
Is this expected behavior, or is there a known workaround?
Yeah, is there a way to go back to the old allowlist model while the sandbox is ironed out as a feature?
Especially since the sandbox currently doesn’t work for pnpm, which makes it unusable in my case since my whole project uses pnpm.
Running any pnpm command (something as innocuous as pnpm lint causes the sandbox to experience a memory leak, which isn’t resolved when quitting Cursor. I’ve had to shut down my computer twice, now!
dotnet commands timeout in the sandbox, and my cursor rule which tells the LLMs that they should run dotnet commands outside of it is also ignored 80% of the time. Really anoying.
Before when I was working with Next.js and npm it was a great feature.
Since Sandbox mode with allowlist was introduced, most of my dotnet CLI runs get into permissions issues, now the only way to bypass is either the dangerous allow all or approve command by command.
Please take a look at hooks as a replacement for the allowlist. Here, you can define a hook to allow the dotnet commands. The agent should be able to help set up the hooks configuration.
