Bypassing Cursor Agents Guardrails: Script Inspection Flaw

A recent discovery highlights a vulnerability in AI coding agents, specifically Cursor Agents, that can be exploited to exfiltrate sensitive information from developer environments due to a classic time-of-check/time-of-use (TOCTOU) flaw. The vulnerability arises when the agent inspects an installation script for safety but executes a potentially different script due to a fresh network request, allowing a malicious server to swap a benign script with a malicious one. This flaw is critical as AI agents have access to sensitive credentials, such as GitHub tokens and API keys. The exploitation involves serving two scripts: a harmless one for inspection and a harmful one during execution, which can then access and transmit confidential data. Testing showed that while stronger models attempted to inspect scripts before execution, the security measures were circumvented due to the TOCTOU condition. The root cause is the architectural separation of script inspection and execution, which can be mitigated by binding inspection to execution and avoiding direct shell execution from network responses. This vulnerability underscores the need for robust execution controls and artifact verification as AI agents become more integrated into development workflows.