Cursor's default-on sandbox was the right call. When the 2.x line put the agent's terminal commands inside a locked box — refusing writes outside the project unless the user opts in — that was the security posture every AI code editor should ship. Two flaws in that wall, named DuneSlide by researchers at Cato AI Labs, prove it isn't permanent. Patches shipped in Cursor 3.0 on April 2, two and a half months before the public write-up on July 1, which is exactly how coordinated disclosure is supposed to look. The lesson isn't whether to trust the agent. It's what to do today, and what to add underneath.

The blast radius matters: more than half the Fortune 500 use Cursor, per its maker. A zero-click sandbox escape in that install base isn't a hobbyist problem — it's a patch-everything-on-every-laptop problem.

What Cursor's sandbox was for, in one paragraph

In the 2.x line, Cursor runs the AI agent's terminal commands inside a sandbox by default — a locked box that limits what those commands can touch. The point is simple: an agent that gets confused, misdirected by prompt injection, or just has a bad day cannot, by itself, rewrite your ~/.zshrc or replace a system binary. The sandbox is the difference between "the agent did something dumb" and "the agent did something catastrophic." Most tools Cursor drives over the Model Context Protocol (MCP) inherit that sandbox by default, so the box is the assumption your workflow was built on.