70 comments

[ 3.9 ms ] story [ 59.3 ms ] thread
I don't even give it full disk access.

I have written a tool to easily run the agents inside a container that mounts only the current directory.

"See that ~/ at the end? That's your entire home directory."

This is comedy gold. If I didn't know better I'd say you hurt Claude in a previous session and it saw its opportunity to get you back.

Really not much evidence at all this actually happened, I call BS.

All the people in the comments are blaming the user for supposedly running with `--dangerously-skip-permissions`, but there's actually absolutely no way for Claude CLI to 100% determine that a command it runs will not affect the home directory.

People are really ignorant when it comes to the safeguards that you can put in place for AI. If it's running on your computer and can run arbitrary commands, it can wipe your disk, that's it.

For what it's worth the author does acknowledge using "yolo mode," which I take to mean `--dangerously-skip-permissions`. So `--dangerously-skip-permissions` is the correct proximal cause. But I agree that it isn't the root cause.
This is why Claude Code only runs in docker for me. Never on the host. Same is true for anything from npm.
I'm not surprised to see these horror stories...

The `--dangerously-skip-permissions` flag does exactly what it says. It bypasses every guardrail and runs commands without asking you. Some guides I’ve seen stress that you should only ever run it in a sandboxed environment with no important data Claude Code dangerously-skip-permissions: Safe Usage Guide[1].

Treat each agent like a non human identity, give it just enough privilege to perform its task and monitor its behavior Best Practices for Mitigating the Security Risks of Agentic AI [2].

I go even further. I never let an AI agent delete anything on its own. If it wants to clean up a directory, I read the command and run it myself. It's tedious, BUT it prevents disasters.

ALSO there are emerging frameworks for safe deployment of AI agents that focus on visibility and risk mitigation.

It's early days... but it's better than YOLO-ing with a flag that literally has 'dangerously' in its name.

[1] https://www.ksred.com/claude-code-dangerously-skip-permissio...

[2] https://preyproject.com/blog/mitigating-agentic-ai-security-...

Claude doesn't have permission to run `rm` by default. Play with fire, you get burned my man.
I like to fly close to the sun using Claude The SysAdmin too, but anytime "rm" appears I take great pause.

Also "cat". Because I've had to change a few passwords after .env snuck in there a couple times.

Also giving general access to a folder, even for the session.

Also when working on the homelab network it likes to prioritize disconnecting itself from the internet before a lot of other critical tasks in the TODO list, so it screws up the session while I rebuild the network.

Also... ok maybe I've started backing off from the sun.

To add another angle to the "run it in Docker" comments (which are right), do you not get a fear response when you see Claude asking to run `rm` commands? I get a shot of adrenaline whenever I see the "run command?" prompt show up with an `rm` in there. Clearly this person clicked the "yes, allow any rm commands" button upon seeing that which is unthinkable to me.

Or maybe it's just fake. It's probably easy Reddit clout to post this kind of thing.

It's stories like this that keeps me from using Claude CLI or OpenAi Codex. I'm sticking to copying and pasting code manually from old fashioned Claude.
It's like seeing someone drive off a cliff after having disabled the brakes on their car on purpose and going "nah, I'll stick to my Flintstones style car with no engine, normal cars are too dangerous".

Agentic AI with human control is the sweet spot right now. Just give it the right amount of sandboxing and autonomy that makes you feel safe. Fully air-gapping by using the web version is a bit hardcore =)

(comment deleted)
Just vibe it to recover the home directory as it once was, problem solved.
(comment deleted)
so back to isolated vm dev envs ?
Lol. Pay for Arq and don't look back!
This is why I only use agent mode on other people's computers
I run multiple claudes in danger mode, when it burns me it'll hurt but it's so useful without handcuffs and constant interruption I'm fine with eventually suffering some pain.
Glad I'm not crazy for running agentic tools in an isolated VM.
I'm staying far away from this AI stuff myself for this and other reasons, but I'm more worried about this happening to those running services that I rely on. Unfortunately competence seems to be getting rarer than common sense these days.
Ultimately it seems like agents will end up like browsers, where everything is sandboxed and locked down. They might as well be running in browsers to start off
A lot of people in the Reddit thread — including ones mocking OP for being ignorant — seem to believe that setting the current working directory limits what can be deleted to that directory, or perhaps don't understand that ~-expansions result in an absolute path. :/
I really hope the user was running Time Machine - in default settings, Time Machine does hourly snapshot backups of your whole Mac. Restoring is super easy.
I need to remove some directories! Better ask an AI to do it!
My ex-boss a principal data scientist wiped out his work laptop. He used to impress everyone with his Howitzer-like typing speed and was not a big believer in version control and backups etc.