Cursor and similar AI IDEs are productive because they can read your whole repo, run commands, and fetch from the web. Each of those is a capability worth configuring deliberately.
Codebase exposure
- Use
.cursorignore(and equivalents) to keep secrets,.envfiles, and credential stores out of the model's context. - Don't rely on the IDE to redact secrets — keep them out of the working tree.
Command execution
- Review before enabling any "auto-run" / "yolo"-style mode that executes commands without confirmation.
- Treat AI-suggested shell commands like a PR from a stranger — read before running.
Web + MCP
- Content the IDE fetches while researching can carry indirect prompt injection — the same risk as any agent reading the web.
- MCP servers you connect run with the IDE's trust; vet them (read tool descriptions, scope credentials).
The IDE isn't the risk; the capabilities you grant it are. Configure them, don't accept defaults blindly.