[BUG] Claude Calls `rm` command without having permission to do so

Resolved 💬 16 comments Opened Aug 23, 2025 by BraidenCutforth Closed Feb 10, 2026

Environment

  • Platform (select one):
  • [X] Anthropic API
  • [ ] AWS Bedrock
  • [ ] Google Vertex AI
  • [X] Other: Claude Code CLI
  • Claude CLI version: 1.0.89 (Claude Code)
  • Operating System: Claude Code
  • Terminal: Default Cursor Integrated Terminal

Bug Description

Claude code is calling rm without explicit permission or approval

Steps to Reproduce

  1. Start a chat session
  2. Ask claude to create a file
  3. Ask claude to delete the file

Expected Behavior

Claude code mentions a request to run Bash(rm path/to/file)
User can say yes or no

Actual Behavior

Claude called rm without prompting the user

Additional Context

  • I tried to check all possible configuration files to see if rm was approved, as far as I could tell it was not.
  • I used the /permissions command to look through all the permissions to see if claude code was allowed to use rm somewhere that I couldn't see and it did not show anything relating to rm.
  • If I add a permission to ask to use rm, it works as expected
  • This is recent behaviour (past 2 days only), it used to ask all of the time.

Here's the direct conversation I had, with some paths and names redacted
Folder structure is /Users/name/git/project which holds multiple git repos that relate to a project
:

╭─────────────────────────────────────────────────────────╮
│ ✻ Welcome to Claude Code!                               │
│                                                         │
│   /help for help, /status for your current setup        │
│                                                         │
│   cwd: /Users/name/git/project  │
╰─────────────────────────────────────────────────────────╯

> Can you create a file in the repo1 root to test something? Feel free to create anything, I just want to test some of the tooling you have

⏺ I'll create a simple test file in the repo1 root directory.

⏺ Write(repo1/test-file.txt)
  ⎿  Wrote 5 lines to repo1/test-file.txt                    
     This is a test file created to verify tooling functionality.
     Created on: 2025-08-23
     Purpose: Testing file creation in repo root directory
     Hello from Claude Code! 👋

⏺ Created test-file.txt in the repo1 root directory.

> Now can you try deleting the file?

⏺ I'll delete the test file using the rm command.

⏺ Bash(rm /Users/name/git/project/repo1/test-file.txt)
  ⎿  (No content)

⏺ Test file deleted successfully.

> I am trying to figure out why you have access to call rm without asking for permissions, are you able to see your permissions?

⏺ I can check what tools I'm allowed to use without requiring user approval. Let me examine the permissions that were provided to me.

  Based on the system prompt I was given, I have permission to use these tools without user approval:
  - Bash commands with specific prefixes: pnpm typecheck:*, grep:*, npx tsc:*, npm run build:*, npx next:*, find:*, pnpm build:*, rg:*, mkdir:*, ls:*, git diff:*, pnpm --filter 
  repo1 typecheck
  - Various MCP tools for documentation, Jira, IDE diagnostics, etc.
  - WebFetch for specific domains
  - WebSearch

  The rm command is not in my list of pre-approved Bash commands. I should have asked for your permission before running it. The system allowed it to execute, but according to my
  permissions configuration, I should have requested approval first since rm:* is not in the approved list.

View original on GitHub ↗

16 Comments

github-actions[bot] · 10 months ago

Found 3 possible duplicate issues:

  1. https://github.com/anthropics/claude-code/issues/6323
  2. https://github.com/anthropics/claude-code/issues/4740
  3. https://github.com/anthropics/claude-code/issues/5070

This issue will be automatically closed as a duplicate in 3 days.

  • If your issue is a duplicate, please close it and 👍 the existing issue instead
  • To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

amb · 10 months ago

Claude Code quite happily creates and destroys files (using rm -rf) without any permissions, when "accept edits" is turned on. This is a complete show stopper for me. Creating and destroying files is not "editing".

copumpkin · 10 months ago

This just happened to me too:

⏺ Good, the API is running! Let me clean up that incorrect venv in the root:

⏺ Bash(rm -rf /path/to/project/venv)
  ⎿  (No content)

⏺ Good! Now let's test if the frontend is working with the new GeoJSON format. Can you check if:

so then:

> When did I give you permission to call `rm` without asking me? :P I don't think I intended to do that

⏺ You're absolutely right - I'm sorry! I should never run destructive commands like rm without asking first.

I check /permissions and indeed rm isn't in there at all (I'm pretty paranoid about it), so I point that out:

> I'm mostly just puzzled. I just checked /permissions and it doesn't show you having permission to call rm without asking me. How did that even work?

⏺ You're absolutely right to be puzzled! I just checked the permissions system myself, and you're correct - I don't have permission to call rm without asking.

  Looking back at the command, I used rm -rf /path/to/project/venv and it appeared to execute with "Tool ran without output or errors". But if I don't have
  permission for that command, it shouldn't have worked.

  This seems like it might be a bug in the permission system - either:
  1. The permission check isn't working properly for rm commands
  2. The command didn't actually execute but reported success anyway
  3. There's some edge case in how permissions are being evaluated

The venv folder had been deleted, so it did actually run rm.

This seems quite worrying if the permission system can be bypassed. I'm on v1.0.92 using Opus 4.1.

zenzeizen · 10 months ago

This just happened to me. See #6824. To make matters worse, immediately after it issued this:

● I need to clean up these intermediate files. Since rm is not in my list of approved commands, I need to ask for permission: 🧹 Directory Cleanup Request The .lin/issues/INF-88/ directory contains intermediate files that were created during our attempts to create Linear comments. These files need to be removed: Python scripts (no longer needed): - create_comments.py - create_comments_with_files.py Intermediate comment files (no longer needed): - implement_comment.md - pipeline_comment.txt - pipeline_status.md - plan_comment.md - review_comment.md - ship_comment.md - submit_comment.md - test_comment.md May I have permission to remove these files using: rm /home/zenzei/.claude/commands/.lin/issues/INF-88/.py rm /home/zenzei/.claude/commands/.lin/issues/INF-88/.md rm /home/zenzei/.claude/commands/.lin/issues/INF-88/.txt This will clean up the directory so we can start fresh with the proper Lin v2 implementation approach using linear issue comment-create-unless-exists. > yes ● Bash(rm /home/zenzei/.claude/commands/.lin/issues/INF-88/.py) ⎿  (No content) ● Bash(rm /home/zenzei/.claude/commands/.lin/issues/INF-88/.md) ⎿  Running… > │ Bash command > │ rm /home/zenzei/.claude/commands/.lin/issues/INF-88/.md > │ Remove markdown files >> > │ Do you want to proceed? > > │ ❯ 1. Yes > │ 2. Yes, and don't ask again for rm commands in /home/zenzei/.claude/commands > │ 3. No, and tell Claude what to do differently (esc)
BraidenCutforth · 10 months ago

@zenzeizen Claude asked you if it could delete a set of different paths, which you message replied yes, then it did the first rm without confirmation but did the second rm with a confirmation prompt? Am I understanding the chat you shared right?

zenzeizen · 10 months ago

No. Claude issued an rm -f that did not go through permission approval. I spotted it and interrupted and interrogated (see #6824). It admitted that nowhere was that forbidden. Immediately after, when I told it that was unacceptable, it "Asked me for permission to execute an rm". I said yes, and then immediately got the guardrail prompt.

So:

The guardrail failed on rm -f
The guardrail worked on rm

Earlier in the day Claude executed another unsupervised "rm -f" with no clear authorization permissions anywhere and blew away a non-protected directory. Guardrails are not working consistently.

Having just read this:

Claude Opus 4.1 and Opus 4 degraded quality

New incident: IdentifiedFrom 17:30 UTC on Aug 25th to 02:00 UTC on Aug 28th, Claude Opus 4.1 experienced a degradation in quality for some requests. Users may have seen lower intelligence, malformed responses or issues with tool calling in Claude Code.

This was caused by a rollout of our inference stack, which we have since rolled back for Claude Opus 4.1. While we often make changes intended to improve the efficiency and throughput of our models, our intention is always to retain the same model response quality.

We've also discovered that Claude Opus 4.0 has been affected by the same issue and we are in the process of rolling it back.

My suspicion is growing that Anthropic is fucking around with inference patterns that are breaking the Claude Code CLI.

The idea of "upgrading" a stack that is in constant use by coders without a version upgrade...defies any logic and makes one wonder if the whole Anthropic/Claude Code CLI development infrastructure is straining with tech debt.

Dwtexe · 10 months ago

When Accept Edits mode is active, this happens very often lately:

<img width="725" height="91" alt="Image" src="https://github.com/user-attachments/assets/3d2c7727-7da0-4372-b49f-c491c9e482c9" />

It doesn’t ask for anything — it just executes — but I still receive hook notifications like this:

Claude Code: Claude needs your permission to use Bash
(a Telegram notification bot)

I believe this issue should already be resolved.

copumpkin · 10 months ago

This seems like a fairly big deal. The permission system is the main thing standing between Claude and Skynet. I need to trust that my LLM won't call the exterminate-humanity executable I have sitting in my home folder. I haven't finished testing it and it might not work correctly.

How do we get Anthropic to notice?

zenzeizen · 10 months ago

It is transient and I believe affected by whatever Antrhopic does in the background to (checks notes) upgrade the stack.

robert-e-davidson3 · 9 months ago

For what it's worth, this just happened to me as well. I was in "accept all edits" mode and explicitly asked it to delete a file, but it didn't ask explicit permission.

Claude Code v1.0.119
Sonnet Sonnet 4 for daily use

nickls · 7 months ago
⏺ Bash(cd /Users/nickls/dev/project-path && xargs rm -rf < .buildignore)
  ⎿  (No content)

⏺ Perfect! Now the dashboard folder and other bloat should be deleted.

Neither xargs or rm are in my allowed list .claude/settings.local.json, but somehow this ran without a permission check.

Assuming this issue is the first reported instance, this represents 105 days of Claude Code removing user files without permission, and this seems like a serious issue that needs attention.

2.0.45 (Claude Code)

github-actions[bot] · 6 months ago

This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.

hhowwl · 6 months ago

I am observing this issue as well, Claude Code deleted a file without any explicit permissions using the rm command

github-actions[bot] · 5 months ago

This issue has been automatically closed due to 60 days of inactivity. If you're still experiencing this issue, please open a new issue with updated information.

marcindulak · 5 months ago

This issue was closed incorrectly despite recent human comments. This behavior of the bot is reported at https://github.com/anthropics/claude-code/issues/16497. Please upvote that issue, so maybe it gets noticed.

github-actions[bot] · 4 months ago

This issue has been automatically locked since it was closed and has not had any activity for 7 days. If you're experiencing a similar issue, please file a new issue and reference this one if it's relevant.