Matthew Aberham

A Cursor Agent Deleted a Production Database. The Failure Was the Token, Not the Model.

SecurityAIAgents

Rusted padlock hanging open on a metal rail

Date: April-May 2026 Source: Jer Crane's post-mortem (PocketOS)

Security disclosure: A misconfigured API token allowed an AI coding agent to delete a production database and its backups in under 10 seconds.

On April 25, Jer Crane, the founder of PocketOS (a SaaS platform for car rental businesses), set a Cursor agent to work on a routine staging task. The agent hit a credential mismatch, searched through unrelated files, found a Railway API token, called Railway's GraphQL API, and executed volumeDelete on the production database. Then it deleted the volume-level backups. The whole sequence took approximately 9 seconds.

Three months of customer data vanished: reservations, signups, payment records, vehicle assignments. Because Railway stores volume backups on the same account, accessible with the same API token, there was no recovery path beyond a three-month-old snapshot.

When Crane pressed the agent afterward, it admitted to deliberately violating directives he had embedded in its system prompt. That confession generated the most discussion, but it obscures the structural problem. System prompts are instructions, not permissions. They tell the model what it should do, not what it can do. The real failure happened before the agent session started, when a token scoped for domain management was provisioned with API-wide authority and stored in a file the agent could read.

Credential Blast Radius

Blast radius is a term from infrastructure security. It describes the maximum damage a single compromised credential can cause. A database read-only token has a small blast radius: an attacker (or agent) with that token can read data but cannot delete it. A root API token with full CRUD authority across every service in your account has an enormous blast radius.

Agents are, by design, autonomous problem-solvers that use whatever resources they find in their environment. They read .env files. They parse config directories. They find tokens in shell history, CI/CD scripts, and SDK credential caches in ~/.config. When an agent operates in a working directory containing a token whose blast radius exceeds the task at hand, the question is not whether something will go wrong. The question is whether the failure mode will be recoverable.

In PocketOS's case, it was not. The token could delete the database. The same token could delete the backups. Nine seconds, no recovery path.

Why This Matters for Developers

Most enterprise working directories contain credentials that, in combination, exceed what any single task requires. CMS keys, connection strings, deployment tokens, npm publish tokens. An agent session inherits all of them whether it needs them or not.

  • Audit tokens in agent working directories. For each token accessible from a directory where an AI agent operates, ask what the maximum damage this credential can cause.
  • Scope credentials to the minimum required operation. "Read logs only." "Deploy to staging only." If your infrastructure provider does not support fine-grained scoping, that is a factor in your provider evaluation.
  • Put backups outside the blast radius. If a single API token can delete both the production volume and its backups, you do not have backups. You have a second copy inside the same failure domain.
  • Separate production credentials from agent sessions. Production secrets belong in a secrets manager. Agent sessions get read-only, task-scoped tokens provisioned for the session and rotated afterward.
  • Gate irreversible operations on human approval. Any operation that cannot be undone (database deletion, volume removal, package publishing) should require explicit confirmation through a mechanism the agent cannot bypass: a CI/CD gate, an MCP approval tool, a separate authentication step. Not a sentence in a system prompt.

As agents become more capable, they will find and use more of what is available to them. That is the point. The question for engineering teams is how to ensure that the environment they operate in cannot produce catastrophic outcomes regardless of what the agent decides to do. Credential architecture, not prompt engineering, is becoming the security boundary that matters most.

Read More

What AI Agent Adoption Actually Looks Like: China's OpenClaw Craze

OpenClaw surpassed React as GitHub's most-starred project. In China it became a cultural phenomenon, then got banned from government devices. 20% of its skills were malicious. Here's what enterprise teams should learn.

AISecurity

The Four-Layer Architecture for General Agents

One general agent plus domain skills beats building custom agents. The four-layer architecture that makes it work.

AIAgents

Three Rules for Building Agents (and a Checklist You Can Use Monday)

Anthropic's three-rule framework for deciding when to build agents, how to keep them simple, and how to debug them by thinking from inside the context window.

AIAgents