Cursor's Auto-Review Cuts Agent Interruptions by 80% Without Sacrificing Safety

Letting an AI agent run freely in your codebase is a double-edged sword. Give it too little autonomy and you spend your day clicking "approve" on every shell command. Give it too much and it might touch production credentials, follow a malicious instruction injected from a file, or make an irreversible change you never intended. Cursor's new Auto-review is a direct attempt to thread that needle, and the engineering behind it is more interesting than a simple permission toggle.

The approval-fatigue trap

Greater autonomy introduces security risks when agents take unintended actions, and this is especially true for local agents that run near files, credentials, environment variables, MCP tools, and have access to production systems. The naive fix is to ask the user before every action, but Auto-review makes decisions around agent autonomy behave more like a dial than a switch: an agent should be able to move freely when the stakes are low, but slow down when its next action crosses a meaningful boundary.

This matters because the approval-prompt model has a known failure mode. After enough repeated interruptions, users stop reading carefully, and the approval flow becomes theater rather than safety. The goal with Auto-review is to make interruptions rare enough that they actually get attention when they happen.

A three-stage filter, not a single gate

Cursor now routes each tool call through a three-stage filter: an allowlist runs trusted calls instantly, a sandbox isolates anything that can be contained, and a classifier subagent decides what to do with everything else. It applies to Shell, MCP, and Fetch tool calls.

• Allowlist: Known-safe commands execute immediately with no review overhead.
• Sandbox: Some calls aren't on the allowlist but Cursor can run them in a sandbox where they can't damage the real environment. The sandbox limits filesystem and network access. The call completes, the agent sees the output, but local state isn't affected.
• Classifier subagent: A small reasoning agent embedded in the main agent loop reads the proposed action, applies whatever custom instructions you have given it, and decides. It can evaluate context, not just match strings.