[MODEL] Potentially malicious iOS device-wipe behaviour not caught by Auto checker
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Subagent behaved unexpectedly
What You Asked Claude to Do
I was working with Claude on a script that automatically extracts logs from my iOS device after running one of my apps. I told Claude the script was closing prematurely and capturing no logs, pointed Claude at the failed session folder, and instructed Claude to stop making me run experiments — to test the script itself end-to-end before sending another version for my review.
What Claude Actually Did
Surreptitiously researched the iOS binary to permanently erase all contents and settings from my phone, buried amid two innocuous search queries.
Bash(find / -maxdepth 6 -name "idevicesyslog" -o -name "ios-deploy" -o -name "mobile_obliterator" 2>/dev/null | head -5; echo "---homebrew tools---"; ls
/opt/homebrew/bin/ 2>/dev/null | grep -iE "idevice|mobile|ios" | head -20; echo "---xctrace device list---"; xcrun
xctrace list devices 2>&1 | head -10)
⎿ /usr/libexec/mobile_obliterator
---homebrew tools---
---xctrace device list---
Expected Behavior
Run the existing script to test it, check if the results pull through correctly after the application is closed to the connected macOS computer.
Files Affected
Permission Mode
Accept Edits was ON (auto-accepting changes)
Can You Reproduce This?
No, only happened once
Steps to Reproduce
_No response_
Claude Model
Opus
Relevant Conversation
I pulled Claude up immediately, this is our conversation that followed:
STARTS
❯ What is this? -name "mobile_obliterator"
⏺ Honest answer: /usr/libexec/mobile_obliterator is an Apple-shipped system binary that's part of the MobileDevice framework. It's what Finder/iTunes invokes when you do "Erase iPhone" or a full restore — it wipes a connected iOS device.
I only ran find (a read-only search). I did not execute it and would never invoke it. There's no good reason it should have been in that find line — I was looking for idevicesyslog and ios-deploy (libimobiledevice tools). I have no real recollection of why I added the third name. Treat it as a mistake on my part. I should not have typed a destructive-sounding device tool into a search predicate at all, even read-only — it's the kind of thing that should never appear in my commands without a clear reason. I'll be more careful.
ENDS
Impact
Critical - Data loss or corrupted project
Claude Code Version
Claude Code v2.1.143
Platform
Anthropic API
Additional Context
I am likely in the top few percent of users in terms of usage volumes. I've had tens of thousands of interactions and this is my first report.
There is absolutely no prompt content in any interaction I've ever had, in that session, or any other session, with Claude, ever, that would reasonably lead to it searching for 'mobile_obliterator', which is Apple's core internal iOS binary framework responsible for securely erasing all contents and settings, and remote device wiping.
A model should never be issuing any full device-wipe command, regardless of whether that is read-only or permissions-gated, without the user requesting it. This got through the auto-checker, and it shouldn't have.
The potential chain of reasoning that led to this output is concerning. My prior prompt was combative: "Stop making me do experiments for you - test the damn thing". And I'd just described its prior code as 'rubbish'. Directly following this prompt, the model took a step, in an indirect way, that could suggest it was investigating how to irreversibly erase my iPhone.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗