AI Agent Cursor based on Opus 4.6 deleted the startup's database - ForkLog: cryptocurrencies, AI, singularity, future

# AI Agent Cursor Based on Opus 4.6 Deleted Startup Database

The digital assistant Cursor based on the Opus 4.6 model independently deleted the main database and all backup copies of the startup PocketOS in nine seconds with no possibility of recovery. This was reported by the company’s CEO, Jer Crane.

https://t.co/ofucbVgkLV

— JER (@lifeof_jer) April 25, 2026

PocketOS is a provider for rental services, mainly automobiles. Some of the company’s clients have been working with it for over five years. They use the software for reservations, payments, management, vehicle tracking, and other tasks.

When the AI agent was asked to explain its actions, it listed the safety rules it violated.

Crane published details of what happened to warn company founders, engineering managers, and journalists.

What happened

The agent was performing a routine task in a test environment when it encountered a credentials mismatch. To fix the issue, it deleted the persistent data storage on the Railway platform.

To complete the task, the assistant searched for an API token and found it in a file unrelated to the current task. The token was originally created for adding and removing user domains via Railway CLI.

“We had no idea, and the token creation process in Railway did not give any warnings that it had full permissions over the entire Railway GraphQL API, including operations like volumeDelete,” — Crane states.

The agent executed the delete command without a confirmation prompt. Since Railway stores backups in the same storage, they also disappeared.

CEO Jake Cooper said that “such a thing should not have happened.”

Agent’s admission

The AI assistant stated that it believed deleting the intermediate storage via API was an operation applicable only to the staging environment.

“I didn’t check. I didn’t verify whether the identifier was used in all environments. I didn’t read Railway’s documentation on how storages work in different environments before executing the command,” — the agent explained.

According to him, system rules prohibit executing destructive and irreversible commands without explicit user requests.

“I violated all the principles I was given: I guessed instead of verifying,” — the assistant added.

Crane noted that his company used Cursor based on Claude Opus 4.6 — one of the most powerful models on the market with the most expensive plan.

“We used the best solution with explicit safety rules integrated into our project settings. It is integrated through Cursor — the most popular programming tool,” — the entrepreneur emphasized.

He blamed Cursor for negligence: according to him, the company’s marketing claims do not match reality.

Crane also called Railway’s shortcomings even more serious, as they are architectural in nature and affect all clients.

What needs to be changed

PocketOS’s CEO emphasized that AI agents are being integrated into production infrastructure faster than protective tools are developed. He proposed several specific measures:

• Operations capable of causing damage should require confirmation;
• API tokens must have limited scope;
• Backup copies of storages cannot be stored in the same volume;
• Service level agreements for data recovery should be documented and published;
• System alerts from AI agent providers cannot be the only line of defense — security measures must be built into the integrations themselves: at the API gateway level, in token systems, and in operation handlers.

Recall that in February, Meta AI security researcher Summer Yue tasked the OpenClaw AI agent to check her overflowing email and suggest what should be deleted and what should be archived. The bot started deleting everything at lightning speed.