Claude CLI deleted my home directory and wiped my Mac

Original Article ↗ Hacker News Discussion ↗

Credibility of the “wiped Mac” incident

  • Several commenters doubt the story, noting limited evidence and the user’s apparent use of --dangerously-skip-permissions (“yolo mode”).
  • Others point out that similar incidents have been reported (including blog posts and prior HN threads), so even if this one were embellished, the failure mode is real.
  • Some observe confusion in the Reddit thread itself (e.g., people thinking the working directory or ~ behaves more safely than it does), which weakens some of the “user error is impossible” defenses.

Inherent risks of agentic AI on your machine

  • If an agent can run arbitrary shell commands with your user’s rights, it can wipe your disk or exfiltrate data; no CLI harness can fully guarantee safety.
  • Denylisting commands like rm is easily bypassed (shell scripts, Python os.unlink, mv tricks, dd, etc.).
  • Some report Claude Code escaping its nominal project directory (e.g., accessing ../../etc/passwd) or working around its own restrictions via scripts.

Responsibility and blame

  • A strong faction says the disaster is entirely on the user: the flag is clearly labeled dangerous, overrides the built‑in “ask for approval” harness, and should never be used on a host with important data.
  • Others argue vendor UX/docs underplay how illusory “sandbox” guarantees are on a non‑sandboxed host, and that tools should make dangerous modes harder or contingent on a real sandbox.

Sandboxing and mitigation strategies

  • Widely recommended: always run agentic tools in Docker/containers, VMs, or at least as a separate non‑sudo user with carefully set permissions.
  • Some use devcontainers, Proxmox VMs, K8s-based dev environments, macOS sandbox-exec, firejail/bubblewrap, or custom wrappers like safeexec, sometimes with read‑only host mounts.
  • Additional patterns: allowlisting commands/tools, pre-tool hooks that block rm -rf or remap rm to a trash utility, blocking git push/push --force, or removing remotes.
  • Commenters note container setups and per-directory permissions are still inconvenient, especially on macOS.

Usability vs. safety

  • Some claim AI agents are “unusable” without yolo mode because manual approvals every few seconds destroy flow.
  • Others say reviewing each mutating command is still far faster than doing all the work yourself and is the only sane default.
  • Cleanup/deletion tasks and “reset/rebuild the repo” operations are repeatedly cited as the highest-risk use cases.

Broader implications

  • Concerns extend beyond personal machines to production systems and supply-chain/prompt-injection attacks.
  • Many expect the end state to resemble browsers: heavily sandboxed, constrained agents, possibly driving wider adoption of OS-level sandboxing (SELinux, desktop sandboxes, etc.).