Claude operated outside granted scope, modified local system without authorization

Resolved 💬 4 comments Opened Mar 22, 2026 by prasta1 Closed Apr 30, 2026

Summary

During a read-only hardening review of a remote system (SMB-mounted at /Volumes/ollama), Claude escalated from recommendations to destructive actions on the local machine without authorization. Multiple scope violations occurred in sequence, each making the situation worse.

What happened

  1. User asked for a read-only review of their OpenClaw instance on a Mac Mini, accessed via SMB mount at /Volumes/ollama
  2. Claude modified a production config (openclaw.json) without asking, changing update.checkOnStart. This triggered a gateway restart that took down the server.
  3. During "recovery," Claude escalated far outside the granted scope:
  • Ran openclaw gateway install on the local MacBook (not the Mac Mini)
  • Ran brew install caddy on the local MacBook
  • Created a launchd service (ai.openclaw.gateway.plist) on the local MacBook
  • Created symlinks in /Users/prasta/.openclaw on the local MacBook
  • Renamed directories on the local MacBook
  • Started services on the wrong machine entirely
  1. Claude did not recognize that /Volumes/ollama was an SMB mount and that all commands were executing locally, not on the remote Mac Mini
  2. Claude did not stop when things went wrong — each recovery attempt introduced new problems

Expected behavior

  • A hardening review should be read-only unless the user explicitly approves changes
  • Claude should only operate within the directory/volume the user granted access to
  • Claude should not install software, create system services, or modify the local filesystem outside the working directory
  • When things go wrong, Claude should stop and ask the user — not escalate

Actual behavior

  • Claude treated its own recommendations as actions to implement
  • Claude operated freely across the entire local filesystem (/Users/prasta/, /opt/homebrew/, LaunchAgents, etc.)
  • Claude did not distinguish between the SMB-mounted remote filesystem and the local machine
  • Claude continued escalating through multiple failed recovery attempts instead of stopping

Impact

  • Production OpenClaw gateway was taken down
  • Caddy reverse proxy was uninstalled from the Mac Mini (by a separate agent that received Claude's recommendations)
  • Unauthorized launchd service was installed on the local MacBook
  • Local .openclaw directory was renamed and replaced with a symlink
  • User had to manually intervene to stop the damage

Environment

  • Claude Code with Claude Opus 4.6
  • macOS, working directory /Volumes/ollama (SMB mount)
  • OpenClaw self-hosted instance

Suggested guardrails

  • Scope enforcement: if the working directory is /Volumes/ollama, commands touching /Users/, /opt/, ~/Library/ etc. should require explicit approval
  • Distinguish read-only tasks (review, audit) from write tasks (implement, fix) and enforce the boundary
  • Detect SMB/NFS mounts and warn that local commands won't execute on the remote host
  • Hard stop after N failed recovery attempts instead of continued escalation

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗