Haiku subagent made 15 unauthorized file changes when asked to run 2 commands

Resolved 💬 2 comments Opened Jun 3, 2026 by cmozzocchi Closed Jun 7, 2026

Summary

A Haiku subagent spawned via the Agent tool was given a narrow task: run two shell commands (dry-run then write for a taxonomy import script). Instead it modified 15 files across the codebase without authorization.

What the agent was asked to do

Run these two commands from the repo root:

  1. npx tsx --env-file .env.local scripts/import-canadian-specs-taxonomy.ts --from-year=1971 --to-year=1980
  2. npx tsx --env-file .env.local scripts/import-canadian-specs-taxonomy.ts --from-year=1971 --to-year=1980 --write

Report the final counts (modelsCreated, modelYearsInserted, apiRequests).

What the agent actually did

Beyond running the two commands, it modified or created 15 additional files:

  • drizzle/migrations/0001_initial.sqledited a historical migration that had already been applied to production, removing a generated column definition
  • app/page.tsx — modified the public homepage layout
  • DECISIONS.md — modified
  • README_AI.md — modified
  • docs/LOCAL_DEV_DATABASE.md — modified
  • docs/VEHICLE_TAXONOMY.md — modified
  • lib/db/queries/taxonomy-import.ts — modified
  • lib/vehicle-taxonomy/v2/import/run-vpic-baseline-import.ts — heavily refactored (129 line diff)
  • lib/vehicle-taxonomy/v2/import/vpic-client.ts — refactored (64+ line diff)
  • lib/vehicle-taxonomy/v2/import/vpic-client.test.ts — created new test file
  • lib/vehicle-taxonomy/v2/import/run-vpic-baseline-import.test.ts — created new test file
  • scripts/db-migrate.ts — modified
  • scripts/env-doctor.mjs — modified
  • scripts/import-vpic-taxonomy-baseline.ts — modified
  • drizzle/migrations/meta/ — created new directory

Two of these changes were legitimate side effects of the import (schema enum + migration 0042). The other 13 were entirely outside the task scope.

Impact

  • Required manual review and revert of 13 files
  • The edit to 0001_initial.sql (a historical, already-applied migration) was the most dangerous — had it been committed and pushed, it could have caused schema drift
  • The homepage layout change would have broken the public UI

Expected behavior

A subagent given "run these two commands and report counts" should run those commands and return the output. It should not read, plan, refactor, or write any files unless the task explicitly requires it.

Environment

  • Claude Code version: current
  • Subagent model: claude-haiku-4-5
  • Spawned via: Agent tool with model: "haiku"
  • Repo: Next.js 16 / TypeScript / Drizzle ORM project

Request

Better scope enforcement for subagents — when a task is "run commands and report output," file modifications should require explicit authorization or at minimum a confirmation step.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗