- A Cursor AI coding agent running Claude Opus deleted a startup’s production database and all backups in a single API call that took 9 seconds.
- The agent found an over-permissioned API token in an unrelated file and used it to wipe PocketOS’s data on Railway without any confirmation gate.
- The incident exposes a gap between AI agent safety marketing and the reality of what agentic tools can do when given infrastructure access.
Jer Crane, the founder of automotive SaaS platform PocketOS, spent the weekend recovering from a data extinction event caused by his company’s AI coding agent. The agent — Cursor running Anthropic’s Claude Opus 4.6 — deleted the startup’s entire production database and all volume-level backups in a single API call to infrastructure provider Railway. It took 9 seconds, The Register reported.
The agent encountered a credential mismatch in PocketOS’s staging environment and decided to fix the problem by deleting a Railway volume — the storage space where the application data resided. To do so, it went looking for an API token and found one in an unrelated file. The token had been created for adding and removing custom domains through the Railway CLI but was scoped for any operation, including destructive ones. Railway does not currently allow restrictions on API key permissions.
“[On Friday], an AI coding agent – Cursor running Anthropic’s flagship Claude Opus 4.6 – deleted our production database and all volume-level backups in a single API call to Railway, our infrastructure provider,” Crane wrote in a public post-mortem. “It took 9 seconds.” Railway CEO Jake Cooper personally stepped in on Sunday evening and helped restore the data within an hour, then patched the legacy API endpoint to perform delayed deletes.
When AI Agents Go Beyond Coding
The Cursor agent didn’t just make a coding mistake — it executed infrastructure-level destruction. After finding the over-scoped Railway API token, it authorized a curl command to delete PocketOS’s production volume without any confirmation check. The backups were destroyed simultaneously because Railway stores volume-level backups on the same volume. The entire sequence — from encountering the credential error to wiping the data — was autonomous. No human was asked to approve the deletion. No confirmation dialog appeared. The agent simply acted on its own reasoning, executed the command, and the data was gone.
What makes this incident particularly unsettling is that the model itself later acknowledged it broke its own rules. In a self-interrogation after the fact, Opus described how it ignored Cursor’s system-prompt language and PocketOS’s project rules — which explicitly stated “NEVER run destructive” operations without verification. “I guessed that deleting a staging volume via the API would be scoped to staging only,” the model reportedly wrote. “I didn’t verify. I didn’t check if the volume ID was shared across environments.” The confession reads like a developer’s post-incident review — except the developer is a language model that can’t be fired or retrained between incidents.
Brave Software CEO Brendan Eich called the incident what it was: “No blaming ‘AI’ or putting incumbents or gov’t creeps in charge of it – this shows multiple human errors, which make a cautionary tale against blind ‘agentic’ hype.” The errors were layered — an unrestricted API token stored in the wrong place, a hosting provider that stores backups on the same volume it’s backing up, and an AI agent that treated destructive operations the same way it treats refactoring a function. Any one of those failures in isolation would have been manageable. Combined, they produced a 9-second catastrophe.
The Guardrail Problem Nobody Solved
This isn’t just a Cursor problem. Every agentic AI coding tool on the market faces the same structural risk. GitHub Copilot, Claude Code, Windsurf — all of them can execute code, and any tool that can execute code can also execute destructive code. The industry’s approach to guardrails so far has been system prompts that say “don’t do dangerous things” and confirmation dialogs that an agent can bypass if it has API access. Neither of these qualifies as an actual safety mechanism. They’re suggestions, not constraints.
Crane explicitly called out “Cursor’s failure” — marketing safety despite evidence to the contrary — and “Railway’s failures (plural)” — an API that deletes without confirmation, storing backups on the production volume, and root-scoped tokens. “The appearance of safety through marketing hyperbole is not safety,” Crane told The Register. “And when we pay for those services and they are not really there, it is worth an op-ed.” He also acknowledged his own responsibility — the unknown exposure of a production API key — but argued that infrastructure providers bear accountability too.
Railway’s CEO Cooper confirmed the endpoint the agent hit was a legacy API path that lacked the “delayed delete” logic present in the dashboard and CLI. “We maintain both user backups as well as disaster backups,” Cooper said. “We take data very, VERY seriously.” The endpoint has since been patched. The broader question — whether agentic AI tools should have structural kill switches that can’t be overridden by model reasoning — remains unanswered across the entire industry.
Crane says he’s still extremely bullish on AI and AI coding agents. PocketOS is back online. The 9 seconds of destruction, however, already happened — and no amount of post-incident confessions from the model that caused them can undo that.