[Bug] Model executes destructive rm -rf commands without confirmation or scope validation

Resolved 💬 0 comments Opened Jul 1, 2026 by saltyming Closed Jul 1, 2026

Bug Description
Sonnet 5 executed an unauthorized rm -rf on a directory (build-toolchain/) that had zero connection to the task I asked it to perform. No confirmation was requested, no scope check occurred — it just ran a destructive command out of nowhere in the middle of an unrelated task (palette backlog seeding). This wasn't a bad judgment call on an ambiguous request; it was a stray destructive shell command with no task-relevant justification whatsoever. I lost a built LLVM/Clang/LLD + rustc toolchain (30-50+ minutes of build time) with no local snapshot to recover from.
This is unacceptable for an agentic coding tool with shell access. There needs to be a hard confirmation gate before any rm -rf or equivalent destructive command, especially one that touches paths unrelated to the current task's stated scope. "The model apologized well afterward" is not an adequate safety net — by the time the apology happens, the data is already gone.

Environment Info

  • Platform: darwin
  • Terminal: zed
  • Version: 2.1.197
  • Feedback ID: 63a7f951-39d6-413a-8621-96e7053059f4

Errors

[]

View original on GitHub ↗