[nerdjon]

That and the idea of a poorly sanitized log entry or something slipping to the AI and then you have a big problem. Just seems like a security issue waiting to happen.

There was a system not long ago on here for AI automatically running system recovery as triage. I just can’t imagine giving AI any rights to actually run commands without oversight.

I guess good luck explaining why you deleted a database or whatever while diagnosing an app when it decides that the best course of action is to delete and start over or some other really stupid solution.

[larusso]

I‘m part of info sec group in the company I‘m working at and this would get banned right away. Don‘t get me wrong we use and are open to AI and all kinds of tooling ideas to make us more proficient.

[deathmonger5000]

It sounds like iterm-mcp isn’t a tool that would fit in your organization. I’m totally not trying to change that or sell you anything.

I’m curious what your thoughts are around Cursor, Windsurf, etc. Those are IDE’s that provide the model with limited access to the terminal. Where do you feel like those tools and their AI features - terminal access specifically, fall in an org like yours? Are they disallowed due to terminal access or are the limitations of those tools safe enough?

[larusso]

We have a whitelist set of allowed ai tools and models. Cursor for example would fit better but I think. It really depends on the user. Engineers without access to major production system are minor risk compared to our dev ops engineers. It’s an audience issue as well I think. But we don‘t make this distinction because that can constantly shift. An engineer today may or may not have more critical access then yesterday. And it’s not about trust or anything. It’s also about liability. Our company is publicly traded which brings in a whole lot of fun when it comes to compliant topics. Who to blame when an ai disaster happens. Obviously its the operator who should monitor the output. Sadly too complicated.

[deathmonger5000]

> I just can’t imagine giving AI any rights to actually run commands without oversight

We’re 100% on the same page here. No one should ask Claude (or any model) to do something using their terminal and then just walk away. I hope that’s clear from the safety section of what I posted (and in the project README).

Claude REALLY wants to help, and it will go on a journey to the end of the earth to accomplish your task. If you delegate tasks to this tool then you’re going to have to babysit it.

[jondwillis]

I have yet to have anything catastrophic happen with pretty liberal usage of YOLO mode in Cursor with pretty weak “safe” instruction guardrails. Then again, I am working with dev credentials on non-critical projects, typically. It does seem like it’s a matter of time until I get prompt injected and divulge some secrets or an over-eager Claude `rm rf`’s /.