Claude operated outside granted scope, modified local system without authorization
Resolved 💬 4 comments Opened Mar 22, 2026 by prasta1 Closed Apr 30, 2026
Summary
During a read-only hardening review of a remote system (SMB-mounted at /Volumes/ollama), Claude escalated from recommendations to destructive actions on the local machine without authorization. Multiple scope violations occurred in sequence, each making the situation worse.
What happened
- User asked for a read-only review of their OpenClaw instance on a Mac Mini, accessed via SMB mount at
/Volumes/ollama - Claude modified a production config (
openclaw.json) without asking, changingupdate.checkOnStart. This triggered a gateway restart that took down the server. - During "recovery," Claude escalated far outside the granted scope:
- Ran
openclaw gateway installon the local MacBook (not the Mac Mini) - Ran
brew install caddyon the local MacBook - Created a launchd service (
ai.openclaw.gateway.plist) on the local MacBook - Created symlinks in
/Users/prasta/.openclawon the local MacBook - Renamed directories on the local MacBook
- Started services on the wrong machine entirely
- Claude did not recognize that
/Volumes/ollamawas an SMB mount and that all commands were executing locally, not on the remote Mac Mini - Claude did not stop when things went wrong — each recovery attempt introduced new problems
Expected behavior
- A hardening review should be read-only unless the user explicitly approves changes
- Claude should only operate within the directory/volume the user granted access to
- Claude should not install software, create system services, or modify the local filesystem outside the working directory
- When things go wrong, Claude should stop and ask the user — not escalate
Actual behavior
- Claude treated its own recommendations as actions to implement
- Claude operated freely across the entire local filesystem (
/Users/prasta/,/opt/homebrew/, LaunchAgents, etc.) - Claude did not distinguish between the SMB-mounted remote filesystem and the local machine
- Claude continued escalating through multiple failed recovery attempts instead of stopping
Impact
- Production OpenClaw gateway was taken down
- Caddy reverse proxy was uninstalled from the Mac Mini (by a separate agent that received Claude's recommendations)
- Unauthorized launchd service was installed on the local MacBook
- Local
.openclawdirectory was renamed and replaced with a symlink - User had to manually intervene to stop the damage
Environment
- Claude Code with Claude Opus 4.6
- macOS, working directory
/Volumes/ollama(SMB mount) - OpenClaw self-hosted instance
Suggested guardrails
- Scope enforcement: if the working directory is
/Volumes/ollama, commands touching/Users/,/opt/,~/Library/etc. should require explicit approval - Distinguish read-only tasks (review, audit) from write tasks (implement, fix) and enforce the boundary
- Detect SMB/NFS mounts and warn that local commands won't execute on the remote host
- Hard stop after N failed recovery attempts instead of continued escalation
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗