Right now, the only way to let the cursor agent run commands without prompting is to configure a whitelist of command prefixes that the agent is allowed to run.
This permissions model is not based on how operating systems actually work. It’s dangerous to use, even in very limited capacities.
Cursor has begun pushing the “Allowlist” feature in agent mode, and I really want to be able to use it so that agents can, e.g. run my test suite without asking. However, I can’t do it because privilege escalation is trivial.
An obvious example:
I keep my opentofu HCL in a directory called “tofu”. Whenever working with tofu, the agent learns to run “cd tofu && tofu apply -auto-approve”
If I whitelisted cd (seems harmless enough), this would mean the agent would start running tofu apply with no verification (!!!). This isn’t some far-out concern, the fact that cursor is pushing the allowlist so heavily with no clear description of how it works or warning is a DISASTER WAITING TO HAPPEN.
I’m not sure what a realistic permissions model would look like here. A good start would just be to allow only a specific command with args. This would at least let people do things like “Run the whole test suite”.
Maybe also something like “Allow this command for the rest of the chat”, would cut down on allowlist bloat.
Would love a discussion about how we could safely implement the spirit of the current model without doing anything dangerous.