Agent lacks built-in detection for self-destructive operations (deleted working directory, mass docker removal, worktree proliferation)

Resolved 💬 4 comments Opened Feb 7, 2026 by s93gso Closed Mar 8, 2026

Description

The agent has no built-in awareness of operations that destroy its own operational environment. Specifically:

  1. Worktree proliferation: The agent can create 6+ git worktrees with no limit or oversight, leading to confusion about which worktree is active
  2. Deleting its own working directory: The agent can rm -rf or remove the directory it is currently executing from, then continue running git commands from a non-existent path
  3. Mass Docker removal: The agent can run docker rm -f $(docker ps -aq), destroying containers it depends on (databases, message brokers, gateway proxies)
  4. Git operations from deleted directory: After its working directory is removed, the agent continues executing git commands blindly instead of detecting the error and stopping

Steps to reproduce

  1. Have the agent create multiple worktrees during a complex task
  2. Have it remove one of those worktrees while its CWD is inside it
  3. Observe that subsequent commands fail silently or produce corrupt results
  4. Alternatively: ask the agent to "clean up Docker" and observe it removing all containers including infrastructure it needs

Observed behavior

The agent continues executing commands after its working directory has been deleted. It does not detect that $(pwd) no longer exists. It does not limit worktree creation. It does not recognize that docker rm -f $(docker ps -aq) is self-destructive.

Expected behavior

  • CWD validation: Before executing commands, verify the working directory exists. If not, stop and inform the user.
  • Worktree limits: Warn or require confirmation when creating more than 2-3 worktrees.
  • Destructive command awareness: Recognize patterns like docker rm -f $(docker ps -aq), rm -rf on parent directories, or git clean -fdx in the project root as self-destructive and require explicit confirmation.
  • Operational self-preservation: The agent should not destroy infrastructure it depends on without understanding the consequences.

Impact

High — these scenarios cause cascading failures that are difficult to diagnose and recover from. In one real-world incident, an agent created 6+ worktrees, deleted its own working directory, then continued running git commands from a non-existent path, resulting in ~2 days of lost work.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗