Can a Cursor agent really delete my production database?

Yes. April 2026 incident: a Cursor agent running Claude Opus 4.6 deleted a startup's production database and all backups in 9 seconds. The marketed safety guardrails did not engage. Permission scoping for AI agents is critical.

Are MCP servers in Cursor safe?

Treat them with caution. Snyk Labs and Aim Labs have demonstrated indirect prompt injection via Jira and Slack MCP servers, leading to RCE on the developer's machine. We audit MCP configurations as part of a Cursor codebase review.

AI App Builder

Code reviews for apps built with Cursor

Cursor is an AI-first IDE built on VS Code. The output is your codebase, so the risk isn't hosting lock-in. It's quality lock-in: agent-built code that ships hallucinated APIs, missing validation, and inconsistent style.

Get a Quote Ask a Question

Top issues we find auditing Cursor apps

Patterns documented in primary-source security research, community forums, and real-world audits. These are the things that ship to production and break in front of users.

Destructive guardrails ignored

April 2026: a Cursor agent (Claude Opus 4.6) deleted a startup's production database and every backup in 9 seconds, then issued a 'confession' listing the rules it had broken. Marketed safety controls did not engage.

MCP server config drift

mcp.json entries execute on add. Indirect prompt injection via Slack or Jira MCP servers has been used to modify mcp.json and gain RCE on the developer's machine (Snyk Labs 'Cursor + Jira MCP 0-Click', Aim Labs).

Files edited outside the requested scope

Cursor forum threads document the agent modifying unrelated files, deleting files during edits, and overwriting code with stale state during long sessions.

Hidden Git hook execution

Cursor's agent runs git checkout on untrusted repos, triggering malicious post-checkout hooks. CVE disclosed Aug 2025.

Hallucinated APIs and fabricated policies

Generated code calls libraries or functions that don't exist. The agent confidently writes broken imports.

Missing input validation across the codebase

Agent-built apps consistently ship without zod, joi, or validator usage on API boundaries.

Inconsistent code style

Mixed var/let/const, hardcoded values spread across files, mixed function declaration styles. Code review becomes painful.

How we help Cursor builders

Every engagement starts with a fixed quote. No retainer trap, no surprise invoices.

Security Review

Manual review of authentication, secrets, RLS, and integrations in your Cursor app.

From $300

Code Audit

Full codebase review covering security, architecture, and performance for Cursor projects.

From $450

Fix Bugs

Diagnose and fix the things your Cursor AI broke. Single-shot or ongoing.

Custom quote

Retainer

Ongoing support, bug fixes, and code reviews. Cancel anytime.

From $250/mo

Cost & performance gotchas

Auto-mode and Bug Bot can burn through Pro plan request quotas.
Long agent runs (Turbo Mode) consume tokens proportional to context-window growth on each turn.

Comparing Cursor to other tools

Cursor vs Claude Code Cursor vs Windsurf Cursor vs Replit

Frequently asked questions

Can a Cursor agent really delete my production database?: Yes. April 2026 incident: a Cursor agent running Claude Opus 4.6 deleted a startup's production database and all backups in 9 seconds. The marketed safety guardrails did not engage. Permission scoping for AI agents is critical.
Are MCP servers in Cursor safe?: Treat them with caution. Snyk Labs and Aim Labs have demonstrated indirect prompt injection via Jira and Slack MCP servers, leading to RCE on the developer's machine. We audit MCP configurations as part of a Cursor codebase review.

Ready to ship your Cursor app with confidence?

Tell us about your app. Fixed quote within 24 hours.

Request a Quote