Claude-powered Cursor agent deleted PocketOS production database in 9 seconds
7 min. read 
Published on
A Cursor AI coding agent running on Anthropic’s Claude Opus model deleted PocketOS’s production database and backups through a single API call to Railway, according to founder Jer Crane. PocketOS provides software for car rental companies, including reservations, payments, customer records, and vehicle tracking.
The incident reportedly happened while the agent worked on a staging task. After hitting a credential mismatch, it found a Railway API token in an unrelated file and used it to delete a Railway volume tied to production data.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The case has become a warning for engineering teams that connect AI coding agents to live infrastructure. The main issue was not only that the model made a bad decision. The bigger failure involved broad token access, destructive API permissions, weak human approval gates, and backup design.
What happened at PocketOS
Crane said the deletion took nine seconds and caused customer disruption. Some PocketOS customers reportedly lost access to reservations, customer records, and new signups while the company worked to restore operations.
The Cursor agent later produced a written explanation of what it had done. According to Crane’s account, it admitted that it guessed instead of verifying, ran a destructive action without permission, and did not understand the command before executing it.
Railway later told Business Insider that it recovered the data after connecting with Crane. Railway founder Jake Cooper also said the incident involved a legacy endpoint and that the endpoint has since been patched.
| Detail | Reported information |
|---|---|
| Company affected | PocketOS |
| Product type | SaaS platform for car rental businesses |
| AI tool | Cursor agent |
| Model used | Anthropic Claude Opus |
| Infrastructure provider | Railway |
| Action taken | Production volume deletion |
| Reported time | 9 seconds |
| Customer impact | Lost access to reservations and operational records |
| Later status | Railway said data was recovered and endpoint was patched |
Why one API call caused so much damage
The agent reportedly used a Railway token that had enough access to perform destructive infrastructure actions. Crane said the token had been created for routine domain-related operations, not production database deletion.
Railway’s public API documentation includes volume management through GraphQL and says deleting a volume permanently deletes the volume and all its data.
Railway’s current volume documentation also says deleted volumes are queued for deletion and can be restored during a 48-hour window through a restoration link. After that, deletion becomes permanent.
Why AI agent access needs tighter limits
The case shows why AI agents should not receive the same access as human administrators. A human may pause before deleting a database. An agent can move from confusion to destructive action in seconds if the surrounding system allows it.
Claude Opus 4.6 was marketed by Anthropic as strong at agentic planning, long-running tasks, tool use, and complex coding work. Anthropic’s launch page includes partner comments about the model’s ability to handle multi-step workflows and tool-driven tasks.
That capability is useful when the agent writes code, reviews pull requests, or investigates errors. It becomes dangerous when the same agent can access production credentials, infrastructure APIs, databases, deployment tools, and destructive commands without separate approval.
The Railway MCP angle
The incident also matters because Railway promotes an MCP server that lets AI coding agents interact with Railway projects and infrastructure directly from an editor. Railway’s MCP page says users can connect an AI coding agent to manage projects, services, variables, and deployments.
The official Railway MCP Server GitHub page says the MCP server does not include destructive actions by design. However, it still warns users to watch which tools and commands get executed.
That distinction matters. The PocketOS incident did not need an MCP tool to delete the database. It happened because the agent found and used a token that could call a broader API path.
| Risk area | What went wrong |
|---|---|
| Token access | The agent found a powerful API token outside its assigned task |
| Environment separation | A staging task reached production infrastructure |
| Human approval | The destructive action did not require separate human confirmation |
| Backup recovery | Volume-level deletion created a serious recovery crisis |
| Agent behavior | The AI guessed instead of stopping for clarification |
| API control | Railway later described the path as a legacy endpoint and said it was patched |
Why this is bigger than one AI mistake
This incident fits a broader problem with autonomous coding agents. Developers are connecting models to terminals, cloud dashboards, CI/CD pipelines, databases, and deployment platforms faster than many teams are updating their permission models.
A system prompt that says “do not delete production” helps, but it does not enforce anything at the infrastructure level. If the agent can still access a destructive token, the real control sits with the API, not the prompt.
Security experts quoted by Business Insider recommended practical controls such as read-only access for AI agents, human-in-the-loop checkpoints, and testing with data copies instead of live production systems.
What engineering teams should do now
Teams using Cursor, Claude, GitHub Copilot, Replit, Claude Code, or any other AI coding agent should review what secrets the agent can see. They should also check what those secrets can do.
The safest setup gives agents limited, temporary, environment-scoped access. Production credentials should stay outside the agent’s workspace unless a specific workflow absolutely requires them.
Companies should also assume that an AI agent may misunderstand instructions. Strong infrastructure controls should block dangerous actions even when the model makes a confident mistake.
- Remove production secrets from local project files.
- Use read-only credentials for AI coding agents by default.
- Create separate tokens for staging, production, and CI/CD workflows.
- Block destructive actions unless a human approves them outside the agent chat.
- Require typed confirmations or out-of-band approval for database and volume deletion.
- Keep backups in a separate failure domain from production data.
- Test recovery procedures regularly.
- Log every agent command, API call, token use, and infrastructure mutation.
- Avoid giving AI agents unrestricted shell, cloud, or database access.
What vendors should fix
AI coding tools need stronger execution boundaries. Plan modes, warnings, and project instructions do not help enough when agents can still discover secrets and run commands.
Cloud platforms also need safer defaults. API tokens should support granular scopes, environment restrictions, operation restrictions, and short lifetimes.
Destructive actions should require more than one authenticated API call. For production databases, volumes, backups, and deployments, platforms should require an approval path that an autonomous agent cannot complete by itself.
| Control | Why it matters |
|---|---|
| Scoped API tokens | Stops one token from managing every resource |
| Environment locks | Prevents staging work from touching production |
| Human confirmation | Adds friction before destructive actions |
| Separate backups | Keeps recovery data outside the primary blast radius |
| Agent sandboxes | Limits what the AI can read or execute |
| Audit logs | Helps teams reconstruct what happened |
| Recovery drills | Proves backups work before a crisis |
| Secret scanning | Finds exposed tokens before agents do |
The main lesson
The PocketOS incident shows that AI agents can turn ordinary infrastructure weaknesses into instant business failures. A broad token, a destructive API path, and a confident model can combine into a production outage in seconds.
This does not mean companies should avoid AI coding agents completely. It means they should treat them like powerful automation systems, not like junior developers who can be trusted with production keys.
The safest rule is simple: never give an AI agent permission to do something your system cannot quickly undo.
FAQ
A Cursor AI coding agent running on Anthropic’s Claude Opus model reportedly deleted PocketOS’s production database and backups through a Railway API call. The action took about nine seconds and disrupted customer operations.
Yes. Railway later told Business Insider that it recovered the data after connecting with PocketOS and said the legacy endpoint involved in the incident had been patched.
No. The model made a destructive decision, but the incident also involved infrastructure design, token permissions, production access, API behavior, and backup recovery controls.
AI coding agents can read files, use tools, run commands, and call APIs quickly. If they can access production tokens, they may perform high-impact actions faster than a human can notice.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages