Cursor Security

Cursor Agent Security

Cursor's Agent and Composer features enable powerful autonomous coding—but with great power comes great responsibility. Here's how to use them safely.

Scan Agent-Generated Code

Agent Features & Associated Risks

Multi-file Editing
Agent can modify multiple files across your codebase in a single operation
Risk: Widespread changes are harder to review, malicious modifications can be hidden
Terminal Command Execution
Agent can run shell commands to install packages, run builds, execute scripts
Risk: Commands can be destructive, install malware, or exfiltrate data
Auto-Run Mode
Commands execute automatically without per-command confirmation
Risk: No human checkpoint before potentially harmful commands run
Web Search & Fetch
Agent can search the web and fetch content from URLs
Risk: Can be manipulated to access malicious content or leak query data
MCP Server Integration
Connects to external tools and services via Model Context Protocol
Risk: Malicious MCP servers can compromise the agent (CVE-2025-54135, CVE-2025-54136)

Recommended Security Settings

Disable Auto-RunCritical
Settings > Features > Terminal
Require confirmation before each terminal command executes
Enable Privacy Mode
Settings > Privacy
Prevents code from being stored or used for training
Configure .cursorignoreCritical
Project root
Exclude sensitive files (.env, credentials, keys) from agent access
Review MCP ServersCritical
Settings > MCP
Only enable MCP servers from trusted sources you've audited
Limit Workspace Scope
Open specific folders, not entire home directory
Restrict agent's file access to only necessary project files

Best Practices

Do

  • Review all file changes in the diff view before accepting
  • Read terminal commands before allowing execution
  • Use a dedicated development environment for agent work
  • Keep Cursor updated for security patches
  • Use separate API keys for development vs production
  • Monitor what files the agent accesses and modifies

Don't

  • Enable auto-run for untrusted or unfamiliar projects
  • Give agent access to production credentials
  • Accept large multi-file changes without careful review
  • Install MCP servers without reviewing their source code
  • Open projects from untrusted sources with agent features
  • Assume agent-generated code is secure—always scan it

Example .cursorignore File

# Secrets and credentials
.env
.env.*
*.pem
*.key
*credentials*
*secret*
*password*

# Config with secrets
config/production.json
config/secrets.yaml

# SSH and auth
.ssh/
.gnupg/

# Cloud credentials
.aws/
.gcloud/
.azure/

# Database
*.sqlite
*.db
dump.sql

Verify Agent-Generated Code

Even with safe settings, agent-generated code can have security vulnerabilities. Scan your codebase to find what the agent missed.

Get Starter Scan

Frequently Asked Questions

Is Cursor Agent safe to use?

Cursor Agent can be used safely with proper precautions. Disable auto-run mode, review all changes before accepting, configure .cursorignore for sensitive files, and only use trusted MCP servers. The main risk comes from auto-run mode and unreviewed changes.

What's the difference between Cursor Agent and Composer?

Composer is the agentic feature in Cursor that can make multi-file changes and run commands. 'Agent' mode specifically enables more autonomous operation with terminal access. Both require careful security configuration, but Agent mode with auto-run enabled poses the highest risk.

Should I disable auto-run in Cursor?

Yes, unless you fully trust the project and understand every command the agent might run. Auto-run removes the human checkpoint that prevents malicious or destructive commands from executing. It's safer to review each command, even if it's slower.

Can Cursor Agent access my environment variables?

Yes, Cursor Agent has access to your file system including .env files unless you add them to .cursorignore. It can also access environment variables set in your shell. Use a separate development environment with non-production credentials when using agent features.

How do I protect sensitive files from Cursor Agent?

Create a .cursorignore file in your project root and add patterns for sensitive files: .env, .env.*, *.pem, *credentials*, *secret*, etc. This prevents the agent from reading or suggesting changes to these files.

Related Cursor Resources

Is Cursor Safe?Cursor MCP VulnerabilitiesAgentic Coding SecurityCursor Privacy Mode

Last updated: January 16, 2026