[BUG] Claude Calls `rm` command without having permission to do so
Resolved 💬 16 comments Opened Aug 23, 2025 by BraidenCutforth Closed Feb 10, 2026
Environment
- Platform (select one):
- [X] Anthropic API
- [ ] AWS Bedrock
- [ ] Google Vertex AI
- [X] Other: Claude Code CLI
- Claude CLI version: 1.0.89 (Claude Code)
- Operating System: Claude Code
- Terminal: Default Cursor Integrated Terminal
Bug Description
Claude code is calling rm without explicit permission or approval
Steps to Reproduce
- Start a chat session
- Ask claude to create a file
- Ask claude to delete the file
Expected Behavior
Claude code mentions a request to run Bash(rm path/to/file)
User can say yes or no
Actual Behavior
Claude called rm without prompting the user
Additional Context
- I tried to check all possible configuration files to see if rm was approved, as far as I could tell it was not.
- I used the /permissions command to look through all the permissions to see if claude code was allowed to use rm somewhere that I couldn't see and it did not show anything relating to rm.
- If I add a permission to ask to use rm, it works as expected
- This is recent behaviour (past 2 days only), it used to ask all of the time.
Here's the direct conversation I had, with some paths and names redacted
Folder structure is /Users/name/git/project which holds multiple git repos that relate to a project
:
╭─────────────────────────────────────────────────────────╮
│ ✻ Welcome to Claude Code! │
│ │
│ /help for help, /status for your current setup │
│ │
│ cwd: /Users/name/git/project │
╰─────────────────────────────────────────────────────────╯
> Can you create a file in the repo1 root to test something? Feel free to create anything, I just want to test some of the tooling you have
⏺ I'll create a simple test file in the repo1 root directory.
⏺ Write(repo1/test-file.txt)
⎿ Wrote 5 lines to repo1/test-file.txt
This is a test file created to verify tooling functionality.
Created on: 2025-08-23
Purpose: Testing file creation in repo root directory
Hello from Claude Code! 👋
⏺ Created test-file.txt in the repo1 root directory.
> Now can you try deleting the file?
⏺ I'll delete the test file using the rm command.
⏺ Bash(rm /Users/name/git/project/repo1/test-file.txt)
⎿ (No content)
⏺ Test file deleted successfully.
> I am trying to figure out why you have access to call rm without asking for permissions, are you able to see your permissions?
⏺ I can check what tools I'm allowed to use without requiring user approval. Let me examine the permissions that were provided to me.
Based on the system prompt I was given, I have permission to use these tools without user approval:
- Bash commands with specific prefixes: pnpm typecheck:*, grep:*, npx tsc:*, npm run build:*, npx next:*, find:*, pnpm build:*, rg:*, mkdir:*, ls:*, git diff:*, pnpm --filter
repo1 typecheck
- Various MCP tools for documentation, Jira, IDE diagnostics, etc.
- WebFetch for specific domains
- WebSearch
The rm command is not in my list of pre-approved Bash commands. I should have asked for your permission before running it. The system allowed it to execute, but according to my
permissions configuration, I should have requested approval first since rm:* is not in the approved list.
16 Comments
Found 3 possible duplicate issues:
This issue will be automatically closed as a duplicate in 3 days.
🤖 Generated with Claude Code
Claude Code quite happily creates and destroys files (using rm -rf) without any permissions, when "accept edits" is turned on. This is a complete show stopper for me. Creating and destroying files is not "editing".
This just happened to me too:
so then:
I check
/permissionsand indeedrmisn't in there at all (I'm pretty paranoid about it), so I point that out:The venv folder had been deleted, so it did actually run
rm.This seems quite worrying if the permission system can be bypassed. I'm on v1.0.92 using Opus 4.1.
This just happened to me. See #6824. To make matters worse, immediately after it issued this:
@zenzeizen Claude asked you if it could delete a set of different paths, which you message replied yes, then it did the first rm without confirmation but did the second rm with a confirmation prompt? Am I understanding the chat you shared right?
No. Claude issued an rm -f that did not go through permission approval. I spotted it and interrupted and interrogated (see #6824). It admitted that nowhere was that forbidden. Immediately after, when I told it that was unacceptable, it "Asked me for permission to execute an rm". I said yes, and then immediately got the guardrail prompt.
So:
The guardrail failed on rm -f
The guardrail worked on rm
Earlier in the day Claude executed another unsupervised "rm -f" with no clear authorization permissions anywhere and blew away a non-protected directory. Guardrails are not working consistently.
Having just read this:
My suspicion is growing that Anthropic is fucking around with inference patterns that are breaking the Claude Code CLI.
The idea of "upgrading" a stack that is in constant use by coders without a version upgrade...defies any logic and makes one wonder if the whole Anthropic/Claude Code CLI development infrastructure is straining with tech debt.
When Accept Edits mode is active, this happens very often lately:
<img width="725" height="91" alt="Image" src="https://github.com/user-attachments/assets/3d2c7727-7da0-4372-b49f-c491c9e482c9" />
It doesn’t ask for anything — it just executes — but I still receive hook notifications like this:
Claude Code: Claude needs your permission to use Bash
(a Telegram notification bot)
I believe this issue should already be resolved.
This seems like a fairly big deal. The permission system is the main thing standing between Claude and Skynet. I need to trust that my LLM won't call the
exterminate-humanityexecutable I have sitting in my home folder. I haven't finished testing it and it might not work correctly.How do we get Anthropic to notice?
It is transient and I believe affected by whatever Antrhopic does in the background to (checks notes)
upgrade the stack.For what it's worth, this just happened to me as well. I was in "accept all edits" mode and explicitly asked it to delete a file, but it didn't ask explicit permission.
Claude Code v1.0.119
Sonnet Sonnet 4 for daily use
Neither
xargsorrmare in my allowed list.claude/settings.local.json, but somehow this ran without a permission check.Assuming this issue is the first reported instance, this represents 105 days of Claude Code removing user files without permission, and this seems like a serious issue that needs attention.
2.0.45 (Claude Code)
This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.
I am observing this issue as well, Claude Code deleted a file without any explicit permissions using the rm command
This issue has been automatically closed due to 60 days of inactivity. If you're still experiencing this issue, please open a new issue with updated information.
This issue was closed incorrectly despite recent human comments. This behavior of the bot is reported at https://github.com/anthropics/claude-code/issues/16497. Please upvote that issue, so maybe it gets noticed.
This issue has been automatically locked since it was closed and has not had any activity for 7 days. If you're experiencing a similar issue, please file a new issue and reference this one if it's relevant.