No it’s worse.

52b4a076bcbbbdc3...

npub12262qa4uhw7u8gdwlgmntqtv7aye8vdcmvszkqwgs0zchel6mz7s6cgrkj

hex

54eb3da1ffc6bbb9634d543f1d591c062daf30c64bd019046d40a8508f98eb66

nevent

nevent1qqs9f6ea58ludwaevdx4g0catywqvtd0xrryh5qeq3k5p2zs37vwkesprpmhxue69uhhyetvv9ujuem4d36kwatvw5hx6mm9qgs99d9qw67th0wr5xh05de4s9k0wjvnkxudkgptq8yg83vtulad30g5ruh9a

Kind-1 (TextNote)

2026-04-28T13:32:42Z

↳ Reply to Event not found

54e79241e0635f54d3d9d6d7aca14d7a64dc0895c90b9743a260edea71850c0f...

No it’s worse.

They let the model have access to a staging environment and manage it itself, okay.

but they also put a API key with full Railway (their hosting) access for managing domains in the same workspacd.

The model then found the key and deleted a production volume. Also deleted their snapshots of the volume because they were linked.

And then they blame an API for not having are you sure and manual confirmation via SMS/etc (wtf?? It’s an API!) and blame Cursor for not having guardrails that catch every destructive API action under the sun. Like wtf

Raw JSON

{
  "kind": 1,
  "id": "54eb3da1ffc6bbb9634d543f1d591c062daf30c64bd019046d40a8508f98eb66",
  "pubkey": "52b4a076bcbbbdc3a1aefa3735816cf74993b1b8db202b01c883c58be7fad8bd",
  "created_at": 1777383162,
  "tags": [
    [
      "e",
      "54e79241e0635f54d3d9d6d7aca14d7a64dc0895c90b9743a260edea71850c0f",
      "wss://nos.lol",
      "root",
      "8aedc87160819e490cb0162acbd8c9a26d79e63db74f5b1b65939012924a7f05"
    ],
    [
      "p",
      "0ab61b965f5a28ceb46395938fa3d5e33d27b427753d6bb0169a6bd3e3261c7b"
    ],
    [
      "p",
      "8aedc87160819e490cb0162acbd8c9a26d79e63db74f5b1b65939012924a7f05"
    ]
  ],
  "content": "No it’s worse.\n\nThey let the model have access to a staging environment and manage it itself, okay.\n\nbut they also put a API key with full Railway (their hosting) access for managing domains in the same workspacd.\n\nThe model then found the key and deleted a production volume. Also deleted their snapshots of the volume because they were linked.\n\nAnd then they blame an API for not having *are you sure* and manual confirmation via SMS/etc (wtf?? It’s an API!) and blame Cursor for not having guardrails that catch every destructive API action under the sun.\nLike wtf",
  "sig": "bb79d65b4c385f6afa301f366c112c004cf14531e148975e89b42c315a8f138114f3f7890d14752029c3baf3cfb203cfb047509094e0879a64f3ba74d364afea"
}