Is it safe to use Cursor or Windsurf?

Data Security when using coding Agents

I look at some of the data security issues and risks if you're considering using a coding agent - as a developer, or as an organisation.

Cheers, Ronan

---

Trelis Links:

🤝 Are you a talented developer? Work for Trelis

💡 Need Technical or Market Assistance? Book a Consult Here

💸 Starting a New Project/Venture? Apply for a Trelis Grant

---

Video Links:

- Cursor Security Deep Research Report: https://chatgpt.com/share/67f6407c-7184-8003-bd60-b45e17258437 (caution: check sources)

- Windsurf Security Deep Research Report: https://chatgpt.com/share/67f640d3-311c-8003-bd37-30a2473dcc52 (caution: check sources)

TIMESTAMPS:

0:00 Is my data at risk using Cursor or Windsurf?

1:34 Leakage of environment variables (passwords) due to .cursorignore failing

2:30 Two ways data can be transferred to Cursor or Windsurf

3:07 Using .cursorignore in Cursor

5:58 Cursor and Windsurf have broad access to your files (no sandboxing)

7:31 .codeiumignore is more robust than .cursorignore for blocking data leakage

9:64 Data risks posed by automated tool calls / agents

10:55 Malicious instructions found while web searching or in code bases

11:56 Cursor Security Docs: .cursorignore is only on a “best effort” basis

13:45 Enabling Privacy mode and Workspace Trust on Cursor

14:53 Disabling snippet telemetry (formerly zero-data?) on Windsurf (workspace trust is the same approach as for cursor)

15:40 Security recommendations for developers and organisations using agents

16:39 Security suggestions for Cursor and Windsurf

17:43 Resources

---

Security Risks in AI Coding Assistants

Environment Variable Exposure

Cursor and Windsurf present several security concerns around environment variables and sensitive data:

1. Cursor can expose .env file contents even when included in .cursorignore

2. Requires terminal restart for .cursorignore changes to take effect

3. Cursor describes ignore functionality as "best effort" rather than guaranteed protection

4. Windsurf respects .gitignore and .codeiumignore more consistently

5. Open windows can expose sensitive data in context regardless of ignore settings

Agent Access and Sandboxing

Current implementations lack proper sandboxing:

1. Agents can access files outside their working directory

2. No folder-level restrictions on file access

3. Tool calls can read/write across the entire filesystem

4. "YOLO mode" allows unrestricted automated tool execution

Data Transfer Mechanisms

Two primary ways sensitive data can be transmitted:

1. Context inclusion:

2. Files open in editor windows

3. Files not properly ignored

4. Embedded in prompts

5. Indexing:

6. Code indexed for search functionality

7. Chunks sent for remote embedding calculation

8. Cursor stores embeddings remotely

9. Windsurf calculates remotely but stores locally

Recommended Security Measures

For Cursor:

1. Enable Privacy Mode in settings

2. Enable Workspace Trust

3. Restart after .cursorignore changes

4. Review tool call permissions

For Windsurf:

1. Disable code snippet telemetry

2. Use .codeiumignore consistently

3. Monitor open windows

General Practices:

1. Use test API keys during development

2. Rotate production credentials after coding sessions

3. Avoid deploying directly from AI-assisted sessions

4. Review security documentation thoroughly

5. Use separate development environment for unrestricted usage

Areas for Improvement

The tools could benefit from:

1. Strict folder-level sandboxing

2. Guaranteed ignore file enforcement

3. Local-only operation options