What Cursor --force
actually does.
In the Cursor Agent CLI the bypass is cursor-agent --force (aliased --yolo), which force-allows every command unless it is explicitly denied, typically alongside -p/--print and --trust for headless runs. The catch is that Cursor's denylist has documented bypasses, so --force effectively means unsupervised shell access. The safer pattern is to keep a human gate on non-allowlisted commands with Pushary, pushing those approvals to your phone and keeping an audit trail.
The flag
cursor-agent --force (alias --yolo)Force-allows every command unless it is explicitly denied.
What the flag actually does
The --force flag (aliased --yolo) tells cursor-agent to force allow every command unless it is explicitly on the deny list, so the agent runs terminal commands and edits with no confirmation prompt. In headless and scripted use it is usually paired with -p/--print (non-interactive output, full tool access including write and shell), --approve-mcps (auto-approve all MCP servers), and --trust (trust the workspace without prompting in headless mode). Together these give a fully unattended agent that executes on its own.
Why people use it, and the real risk
Cursor's deny list is the only thing standing between --force and disaster, and security researchers at Backslash showed the denylist is bypassable, including through Base64-obfuscated commands, so 'explicitly denied' is not a reliable fence. In this mode the agent runs shell commands and file edits with no human check, so a destructive command or a prompt-injection payload hidden in a repo file or fetched web page executes immediately. Because MCP servers are auto-approved with --approve-mcps, a malicious or compromised server also runs unattended. There is no per-command approval record, so you cannot later show which actions a human sanctioned.
Three ways to run an agent
Full bypass keeps the agent moving but drops the gate. Babysitting keeps the gate but pins you to the keyboard. A phone gate keeps both.
| Approach | Agent keeps moving | Destructive actions gated | Away from the keyboard | Audit trail |
|---|---|---|---|---|
| Full bypass (Cursor) | ||||
| Babysit the terminal | ||||
| Pushary phone gate |
The safer alternative
Do not rely on the denylist as your safety layer. Instead keep an allow list for the routine safe commands and route anything outside it to a human, using Pushary to push that approval to your phone and block until you answer. A PreToolUse hook or MCP policy decides per tool call whether to auto-allow, deny, or escalate to your phone, and every escalation plus its answer is logged. That gives you unattended throughput on the safe path and a real human decision, with an audit trail, on the commands that can actually hurt you.
Cursor skip permissions questions
How do I enable YOLO mode in Cursor CLI?
In cursor-agent the flag is --force (its alias is --yolo), described in Cursor's docs as force allow commands unless explicitly denied. For headless automation you usually add -p/--print for non-interactive output and --trust to skip the workspace trust prompt, and --approve-mcps to auto-approve MCP servers. Because Cursor's denylist has known bypasses, a safer route is to allowlist safe commands and push everything else to your phone with Pushary.
How do I make Cursor agent auto-run terminal commands without asking?
Passing --force makes cursor-agent auto-run commands that are not on the deny list, and in the editor this is the Auto-Run / YOLO setting. Be aware researchers demonstrated the denylist can be evaded with obfuscated commands, so it is not a strong guardrail. Keep a human in the loop on risky commands with a Pushary policy that sends the approval to your phone and logs the decision.
Is Cursor --force safe to run unattended?
Only inside an isolated sandbox or disposable container, never against a repo with live credentials or production access, because --force plus the bypassable denylist means the agent can run destructive or injected commands with no human check. For real work, keep an allowlist for safe commands and gate the rest through Pushary so approvals hit your phone and stay in an audit trail.
Run Cursor unattended without skipping every permission.
Keep the agent moving, gate the risky calls, approve from your phone. Set up in two minutes.