Claude CLI deleted my home directory Wiped my whole Mac
79 comments
·December 14, 2025orliesaurus
JumpCrisscross
> I'm not surprised to see these horror stories
I am! To the point that I don’t believe it!
You’re running an agentic AI and can parse through the logs, but you can’t sandbox or keep backups?
Like, I’ve given Copilot permission to fuck with my admin panel and it proceeded to bill thousands of dollars creating heat maps of the density of structures in Milwaukee, buying subscriptions to SAP Joule and ArcGIS for Teams, and generating terabytes of nonsense maps, ballistic paths and “"an architectural sketch of a massive bird cage the size of Milpitas, California (approximately 13 square miles)” resembling “a futuristic aviary city with large domes, interconnected sky bridges, perches, and naturalistic environments like forests, lakes, and cliffs inside.”
But support immediately refunded everything, I had backups and the whole thing was hilarious if irritating.
mjd
A few months ago I noticed that even without `--dangerously-skip-permissions`, when Claude thought it was restricting itself to directory D, it was still happy to operate on file `D/../../../../etc/passwd`.
That was the last time I ran Claude Code outside of a Docker container.
SoftTalker
You don't even need a container. Make claude a local user. Without sudo permission. It will be confined to damaging its own home directory only.
mjd
And reading any world-readable file.
No thanks, containers it is.
Dylan16807
By operate on you mean that actually got through and it opened the file?
mjd
Yes, although the example I had it operate on was different.
forrestthewoods
AI tools are honestly unusable without running in yolo mode. You have to baby every single little command. It is utterly miserable and awful.
skeledrew
Better to continuously baby than to have intense regrets.
upbeat_general
I really wish that there was an “almost yolo” mode that was permissive but with light restrictions (eg no rm), or even better, a light supervisor model to prevent very dangerous commands but allow everything else.
dnw
If you are on macOS it is not a bad idea to use sandbox-exec to wrap your claude or other coding agents around. All the agents already use sandbox-exec, however they can disable the sandbox. Agents execute a lot of untrusted coded in the form of MCP, skills, plugins etc.
One can go crazy with it a bit, using zsh chpwd, so a sandbox is created upon entry into a project directory and disposed on upon exit. That way one doesn't have to _think_ about sandboxing something.
userbinator
I'm staying far away from this AI stuff myself for this and other reasons, but I'm more worried about this happening to those running services that I rely on. Unfortunately competence seems to be getting rarer than common sense these days.
impulser_
Don't worry, you can use these tools and not be an idiot. Just read and confirm what it does. It's that simple.
alsetmusic
The funny thing about it is how no one learns. Granted, one can’t be expected to read every thread on Reddit about LLM development by people who are out of their depth (see the person who nuked their D: drive last month and the LLM apologized). But I’m reminded of the multiple lawyers who submitted bullshit briefs to courts with made-up citations.
Those who don’t know history are doomed to repeat it. Those who know history are doomed to know that it’s repeating. It’s a personal hell that I’m in. Pull up a chair.
chasd00
I work on large systems where security incidents end up on cnn. These large systems are running as fast as everyone else to LLM integration. The security practice at my firm has their hands basically tied by the silverbacks. To the other consultants on HN, protect yourself and keep a paper trail.
maxbond
Friends don't let friends use agentic tooling without sandboxing. Take a few hours to setup your environment to sandbox your agentic tools, or expect to eventually suffer a similar incident. It's like driving without a seatbelt.
Consider cases like these to be canaries in the coal mine. Even if you're operating with enough wisdom and experience to avoid this particular mistake, a dangerous prompt might appear more innocuous, or you may accidentally ingest malicious files that instruct the agent to break your system.
abigail95
I run multiple claudes in danger mode, when it burns me it'll hurt but it's so useful without handcuffs and constant interruption I'm fine with eventually suffering some pain.
maxbond
If you don't impose some kind of sandboxing, how can you put an upper bound on the level of "pain"? What if the agent leaked a bunch of sensitive information about your biggest customer, and they fired you?
tobyjsullivan
Likewise. I’ll regret it but I certainly won’t be complaining to the Internet that it did what I told it to (skip permission checks, etc.). It’s a feature, not a bug.
hurturue
I do to. Except I can't be burnt since I start each claude in a separate VM.
I have a script which clones a VM from a base one and setups the agent and the code base inside.
I also mount read-only a few host directories with data.
I still have exfiltration/prompt injection risks, I'm looking at adding URL allow lists but it's not trivial - basically you need a HTTP proxy, since firewalls work on IPs, not URLs.
driverdan
Please post when it breaks something important so we can laugh at you.
layer8
Someone in the Reddit thread linked to https://github.com/agentify-sh/safeexec/ for mitigation.
cheschire
I like to fly close to the sun using Claude The SysAdmin too, but anytime "rm" appears I take great pause.
Also "cat". Because I've had to change a few passwords after .env snuck in there a couple times.
Also giving general access to a folder, even for the session.
Also when working on the homelab network it likes to prioritize disconnecting itself from the internet before a lot of other critical tasks in the TODO list, so it screws up the session while I rebuild the network.
Also... ok maybe I've started backing off from the sun.
blitz_skull
Claude doesn't have permission to run `rm` by default. Play with fire, you get burned my man.
hurturue
there's an infinite amount of ways to delete a file. deny listing commands doesnt work.
python3 -c "import os; os.unlink('~/.bashrc')"
irishcoffee
I have no idea if this is possible: mv ~/* /dev/null
realo
Try that one instead:
mv ~/. /dev/null
Better.
Extra points if you achieve that one also:
mv /. /dev/null
Slashdot aficionados might object to that last one, though.
klempner
Speaking of Slashdot, some fairly frequent poster had a signature back around 2001/2002 had a signature that was something like
mv /bin/laden /dev/null
and then someone explained how that was broken: even if that succeeds, what you've done is to replace the device file /dev/null with the regular file that was previously at /bin/laden, and then whenever other things redirect their output to /dev/null they'll be overwriting this random file than having output be discarded immediately, which is moderately bad.
Your version will just fail (even assuming root) because mv won't let you replace a file with a directory.
blitz_skull
Hmm... Let me go run it real quick without checking what it does.
EDIT: OH MY GOD
irishcoffee
Har har, I meant within the permission framework of the bots people unleash on their personal computers.
I assume yes.
impulser_
Rule 1: Never ever run any of these tools in automatic mode.
I'm not surprised to see these horror stories...
The `--dangerously-skip-permissions` flag does exactly what it says. It bypasses every guardrail and runs commands without asking you. Some guides I’ve seen stress that you should only ever run it in a sandboxed environment with no important data Claude Code dangerously-skip-permissions: Safe Usage Guide[1].
Treat each agent like a non human identity, give it just enough privilege to perform its task and monitor its behavior Best Practices for Mitigating the Security Risks of Agentic AI [2].
I go even further. I never let an AI agent delete anything on its own. If it wants to clean up a directory, I read the command and run it myself. It's tedious, BUT it prevents disasters.
ALSO there are emerging frameworks for safe deployment of AI agents that focus on visibility and risk mitigation.
It's early days... but it's better than YOLO-ing with a flag that literally has 'dangerously' in its name.
[1] https://www.ksred.com/claude-code-dangerously-skip-permissio...
[2] https://preyproject.com/blog/mitigating-agentic-ai-security-...