AI AI Tools Guidebook
Troubleshooting

Cursor YOLO Mode Runs Shell Commands Without Confirming

Agent mode keeps running shell commands without the confirm prompt, even when you flipped the toggle off. Usually allowlist scope, stale settings, or a workspace override. Fix it.

Published: Author: AI Productivity Guide Team 🌐 查看中文版本

You turned off YOLO mode (or never turned it on), opened Agent mode, asked Cursor to do something innocent, and the next thing you see is rm -rf node_modules running in the integrated terminal without a confirmation popup. Or pip installing a long list of packages. Or pushing to a branch. The toggle in Settings clearly says “Require confirmation,” and yet the commands just keep going. The root cause is almost always one of three things: an allowlist that is wider than you think, a stale settings file that overrides your UI choice, or a workspace-level setting taking precedence over user-level. Once you know which lane, the fix is a one-minute edit.

Common causes

Ordered by hit rate, highest first.

1. Command allowlist is too permissive

Cursor lets you allowlist commands or command prefixes that skip the confirmation prompt. If npm, git, or even * is on that list, the matching commands run without asking. People often add npm install once and forget that wildcard matches everything starting with npm.

How to judge: Settings → Cursor Settings → Features → Agent → “Allowed commands.” If you see any broad prefix or a *, that is it.

2. Workspace-level setting overrides user-level

.vscode/settings.json or .cursor/settings.json inside the repo can set cursor.agent.yoloMode: true and override your global preference. You toggled the wrong layer.

How to judge: Search the workspace for yoloMode or agent.confirm. If a workspace JSON sets it, that wins.

3. Old settings cached after an update

After a Cursor version bump the settings schema sometimes changes. The UI shows the new toggle off, but the old key in settings.json (a different name) still grants auto-run permission.

How to judge: Open ~/.cursor/settings.json (or %APPDATA%\Cursor\User\settings.json on Windows). Search for any key containing yolo, autoRun, or confirmCommands.

4. Rules file grants auto-execution

A .cursorrules or .cursor/rules/*.mdc file with text like “always run shell commands without asking” gets parsed by Agent as an instruction and bypasses the UI gate for that session.

How to judge: Grep your repo for “without asking”, “no confirmation”, “auto run” inside rules files. Any match could be the culprit.

5. The command was queued in a multi-step plan

Agent mode plans several steps and runs them as one batch. The first step might prompt; subsequent steps in the same plan inherit consent and do not re-prompt.

How to judge: Look at the chat. If the run started with a “Plan: 1, 2, 3” block and you clicked Approve once, every step in that plan runs without further prompts.

6. Bug in a specific version

Cursor 0.42 and a couple of early 0.45 builds had a confirmed bug where the confirm toggle was ignored for commands matching cd ... or &&-chained commands.

How to judge: Help → About. If you are on a known-bad version, upgrade.

Before you start

  • Decide whether you want zero auto-execution or a small curated allowlist; the fix differs.
  • Close any running Agent task before editing settings — settings reload on next prompt, not mid-run.
  • Back up your settings.json once before editing.

Information to collect

  • Cursor version from Help → About.
  • OS and shell (Cursor uses your default shell for the integrated terminal).
  • The exact command that ran without confirmation.
  • Contents of ~/.cursor/settings.json (or %APPDATA%\Cursor\User\settings.json).
  • Any .cursorrules or .cursor/rules/*.mdc in the project.
  • Workspace .vscode/settings.json if present.
  • The most recent log in ~/.cursor/logs/.

Step-by-step fix

Step 1: Audit the allowlist

Open Settings → Cursor Settings → Features → Agent → “Allowed commands.” Remove every entry. Save. If you need an allowlist later you can add narrow exact strings (e.g. npm test), not prefixes.

Step 2: Force the confirmation flag in user settings

Open Command Palette → “Preferences: Open User Settings (JSON)” and add:

{
  "cursor.agent.yoloMode": false,
  "cursor.agent.allowedCommands": [],
  "cursor.agent.requireConfirmation": true
}

Save and reload the window (Cmd+Shift+P → “Developer: Reload Window”).

Step 3: Check for workspace overrides

In the project root, look for .vscode/settings.json and .cursor/settings.json. Remove any cursor.agent.* keys from those files, or move the settings up to user level. Workspace JSON always wins over user JSON.

Step 4: Scrub rules files

Grep your repo for any rule that grants auto-execution:

grep -ri "without asking\|no confirmation\|auto.run\|skip prompt" .cursor .cursorrules 2>/dev/null

Delete or rephrase those lines. Rules are interpreted as instructions; an aggressive rule will defeat the UI gate.

Step 5: Upgrade Cursor

Help → Check for Updates. The 0.42 and early-0.45 confirm-bypass bug is fixed in 0.46+. If you cannot upgrade right now, avoid Agent mode and use Composer (which prompts for every shell action) until you can.

Step 6: Verify with a known-dangerous command

In a scratch repo, ask Agent: “Run echo TEST && false.” If you get a confirmation prompt, the gate is back. If it runs silently, jump back to Step 1 and check the allowlist again.

Step 7: As a hard backstop, sandbox the shell

If you still cannot trust the gate, point Cursor’s integrated terminal at a sandboxed shell wrapper that requires a stdin yes/no for any command outside a safe list. Settings → Terminal → Integrated → Default Profile. Heavy-handed but bulletproof.

Verify

  • Run a fresh Agent prompt that needs a shell command. The confirmation popup must appear.
  • Run a multi-step Agent plan. Every shell step should re-prompt, not just the first.
  • Reload the window and repeat — the setting must survive a reload.
  • Open ~/.cursor/settings.json and confirm the keys you added are still there.

Long-term prevention

  • Keep cursor.agent.allowedCommands empty unless you have a strong reason; an empty list is the safe default.
  • Treat .cursorrules like code — review changes in PRs so nobody slips in an auto-run rule.
  • Pin Cursor to a known-good minor version on your team and upgrade together.
  • Audit user vs workspace settings during onboarding. People who share repos inherit the workspace settings.
  • Use Composer for risky branches (rebases, deploys); reserve Agent for green-field code.

Common pitfalls

  • Adding npm to the allowlist to skip the prompt for npm test, then forgetting it also covers npm uninstall.
  • Editing user settings while a workspace setting silently overrides them.
  • Trusting the UI toggle without checking the underlying JSON.
  • Assuming a Cursor update resets your settings — it does not.
  • Believing the confirmation prompt protects against &&-chained commands on older versions. It did not.

FAQ

  • What exactly is YOLO mode? A Cursor Agent setting that lets the model run shell commands without asking for each one. Useful for scripted tasks, dangerous by default.
  • Can I allowlist just safe commands? Yes. Use exact strings like npm test or pnpm build, never prefixes or wildcards.
  • Does the confirmation prompt also gate file edits? No, file edits go through the diff review flow. The confirm prompt is specifically for shell commands.
  • Why did Agent push to main without asking? Either git was on the allowlist, or you approved a multi-step plan that included the push.
  • Is there a panic-stop? Click the stop button on the running task or press Cmd+Shift+P → “Cursor: Stop Agent.” For runaway processes, kill the integrated terminal.

Tags: #Cursor #Troubleshooting #agent #Debug

Related Articles