Infisical has published a guide on keeping credentials out of Cursor Cloud Agents — the autonomous coding environments that spin up fresh Ubuntu VMs to handle tasks triggered from Slack, GitHub, and Linear.
The problem isn't hypothetical. Cursor agents run npm installs and other tools at startup, which means auth tokens can end up frozen in VM snapshots. Teams also tend to drop credentials directly into .cursor/environment.json, which gets committed to source control. Cursor's built-in Secrets UI doesn't support rotation, audit logs, or per-environment access controls — so there's no trail if something leaks.
Infosical's fix borrows from how CI/CD pipelines already handle this: store only a lightweight Infisical machine identity — a client ID and secret — in Cursor's Secrets UI, then use the agent's start lifecycle hook to authenticate with Infisical at boot and pull real credentials on demand. Database passwords, API keys, and registry tokens never touch Cursor's storage layer.
Two delivery options are available. `infisical run` wraps the target process and injects secrets as in-memory environment variables that disappear when the process exits. `infisical export` writes them to a .env, JSON, or YAML file for tools that need file-based access. Neither approach leaves credentials sitting in Cursor.
Infosical also recommends giving each environment — dev, staging, production — its own machine identity scoped to only what it needs. The concern is prompt injection: agents that auto-execute terminal commands are a real attack surface, and least-privilege identities limit the blast radius if one gets compromised.
The company says it's seeing the same mistakes — committed .env files, hardcoded tokens, snapshot-baked secrets — resurface in MCP servers and cloud agent setups, repeating what happened in the early days of CI/CD. It's the same problem in a new context, and the same fix applies.