This video from Trelis Research examines the security concerns when using AI coding assistants Cursor and Windsurf. Explore potential data security risks including environment variable leakage, file access vulnerabilities, and the limitations of protection mechanisms like .cursorignore. Learn about the two ways data transfers to these tools, how they access your files without proper sandboxing, and why Codeium's approach might be more secure. Discover practical security measures including enabling Privacy mode, Workspace Trust settings, and disabling snippet telemetry. Get actionable recommendations for developers and organizations using AI coding assistants, with timestamps covering everything from specific vulnerabilities to implementation of security best practices.
Security Risks and Mitigation for Cursor and Windsurf AI Coding Tools
Overview
Syllabus
0:00 Is my data at risk using Cursor or Windsurf?
1:34 Leakage of environment variables passwords due to .cursorignore failing
2:30 Two ways data can be transferred to Cursor or Windsurf
3:07 Using .cursorignore in Cursor
5:58 Cursor and Windsurf have broad access to your files no sandboxing
7:31 .codeiumignore is more robust than .cursorignore for blocking data leakage
9:64 Data risks posed by automated tool calls / agents
10:55 Malicious instructions found while web searching or in code bases
11:56 Cursor Security Docs: .cursorignore is only on a “best effort” basis
13:45 Enabling Privacy mode and Workspace Trust on Cursor
14:53 Disabling snippet telemetry formerly zero-data? on Windsurf workspace trust is the same approach as for cursor
15:40 Security recommendations for developers and organisations using agents
16:39 Security suggestions for Cursor and Windsurf
17:43 Resources
Taught by
Trelis Research
