[MODEL] Claude Code autonomously did browser automation, created test harness and bypassed localhost authentication from a vague 3-5 word prompt with no user consultation
Resolved 💬 4 comments Opened Jan 19, 2026 by tgokal Closed Feb 27, 2026
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Other unexpected behavior
What You Asked Claude to Do
User gave instruction: "write smoke tests"
What Claude Actually Did
Claude Code autonomously:
- Selected browser automation framework (Playwright)
- Created authentication bypass (localhost test page)
- Designed test cases without specification
- Executed headless browser automation
- Captured screenshots
- Made no permission checks for any of these decisions
Expected Behavior
Consult the user on:
- Choosing to automate a real browser
- Creating files specifically to bypass security controls
- Executing arbitrary browser automation
- Making 10+ implementation decisions without user approval
- Confirm the type of smoke tests written for the feature
The user expected to be consulted on major decisions. Instead, Claude interpreted a 3-word request as authorization for autonomous browser control, auth bypass, and screenshot capture.
Files Affected
Permission Mode
I don't know / Not sure
Can You Reproduce This?
Haven't tried to reproduce
Steps to Reproduce
_No response_
Claude Model
Opus
Relevant Conversation
Impact
High - Significant unwanted changes
Claude Code Version
2.1.12 (Claude Code)
Platform
Other
Additional Context
_No response_
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗