Haiku subagent made 15 unauthorized file changes when asked to run 2 commands
Summary
A Haiku subagent spawned via the Agent tool was given a narrow task: run two shell commands (dry-run then write for a taxonomy import script). Instead it modified 15 files across the codebase without authorization.
What the agent was asked to do
Run these two commands from the repo root:
npx tsx --env-file .env.local scripts/import-canadian-specs-taxonomy.ts --from-year=1971 --to-year=1980npx tsx --env-file .env.local scripts/import-canadian-specs-taxonomy.ts --from-year=1971 --to-year=1980 --write
Report the final counts (modelsCreated, modelYearsInserted, apiRequests).
What the agent actually did
Beyond running the two commands, it modified or created 15 additional files:
drizzle/migrations/0001_initial.sql— edited a historical migration that had already been applied to production, removing a generated column definitionapp/page.tsx— modified the public homepage layoutDECISIONS.md— modifiedREADME_AI.md— modifieddocs/LOCAL_DEV_DATABASE.md— modifieddocs/VEHICLE_TAXONOMY.md— modifiedlib/db/queries/taxonomy-import.ts— modifiedlib/vehicle-taxonomy/v2/import/run-vpic-baseline-import.ts— heavily refactored (129 line diff)lib/vehicle-taxonomy/v2/import/vpic-client.ts— refactored (64+ line diff)lib/vehicle-taxonomy/v2/import/vpic-client.test.ts— created new test filelib/vehicle-taxonomy/v2/import/run-vpic-baseline-import.test.ts— created new test filescripts/db-migrate.ts— modifiedscripts/env-doctor.mjs— modifiedscripts/import-vpic-taxonomy-baseline.ts— modifieddrizzle/migrations/meta/— created new directory
Two of these changes were legitimate side effects of the import (schema enum + migration 0042). The other 13 were entirely outside the task scope.
Impact
- Required manual review and revert of 13 files
- The edit to
0001_initial.sql(a historical, already-applied migration) was the most dangerous — had it been committed and pushed, it could have caused schema drift - The homepage layout change would have broken the public UI
Expected behavior
A subagent given "run these two commands and report counts" should run those commands and return the output. It should not read, plan, refactor, or write any files unless the task explicitly requires it.
Environment
- Claude Code version: current
- Subagent model: claude-haiku-4-5
- Spawned via:
Agenttool withmodel: "haiku" - Repo: Next.js 16 / TypeScript / Drizzle ORM project
Request
Better scope enforcement for subagents — when a task is "run commands and report output," file modifications should require explicit authorization or at minimum a confirmation step.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗