Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
RobinL 16 hours ago

Does anyone have direct experience with Claude making damaging mistakes in dangerously skip permissions mode? It'd be great to have a sense of what the real world risk is.

prodigycorp 16 hours ago | parent | next [-]

Claude is very happy to wipe remote dbs, particularly if you're using something like supabase's mcp server. Sometimes it goes down rabbitholes and tries to clean itself up with `rm -rf`.

There is definitely a real world risk. You should browse the ai coding subreddits. The regularity of `rm -rf` disasters is, sadly, a great source of entertainment for me.

I once was playing around, having Claude Code (Agent A) control another instance of Claude Code (Agent B) within a tmux session using tmux's scripting. Within that session, I messed around with Agent B to make it output text that made Agent A think Agent B rm -rf'd entire codebase. It was such a stupid "prank", but seeing Agent A's frantic and worried reaction to Agent B's mistake was the loudest and only time I've laughed because of an LLM.

gregoriol 16 hours ago | parent [-]

Why in the hell would it be able to access a _remote_ database?! In no acceptable dev environment would someone be able to access that.

heartbreak 15 hours ago | parent | next [-]

Everywhere I’ve ever worked, there was always some way to access a production system even if it required multiple approvals and short-lived credentials for something like AWS SSM. If the user has access, the agent has access, no matter how briefly.

gregoriol 15 hours ago | parent [-]

Not if you require auth with a Yubikey, not if you run the LLM client inside a VM which doesn't have your private ssh key, ...

prodigycorp 15 hours ago | parent | prev | next [-]

Supabase virtually encouraged it last year haha. I tried using it once and noped out after using it for an hour, when claude tried to do a bunch of migrations on prod instead of dev.

https://web.archive.org/web/20250622161053/https://supabase....

Now, there are some actual warnings. https://supabase.com/docs/guides/getting-started/mcp#securit...

kaydub 14 hours ago | parent | prev [-]

I think LLMs are exposing how slapdash many people work when building software.

azuanrb 16 hours ago | parent | prev | next [-]

One recent example. For some reason, recently Claude prefer to write scripts in root /tmp folder. I don't like this behavior at all. It's nothing destructive, but it should be out of scope by default. I notice they keep adding more safeguards which is great, eg asking for permissions, but it seems to be case by case.

giancarlostoro 15 hours ago | parent [-]

If you're not using .claude/instructions.md yet, I highly recommend it, for moments like this one you can tell it where to shove scripts. Trickery with the instructions file is Claude only reads it during a new prompt, so any time you update it, or Claude "forgets" instructions, ask it to re-read it, usually does the trick for me.

mythical_39 14 hours ago | parent [-]

Claude, I noticed you rm -rf my entire system. Your .instructions.md file specifically prohibits this. Please re-read your .instructions.md file and comply with it for all further work

giancarlostoro 14 hours ago | parent [-]

IMHO a combination of trash CLI and a smarter shell program that prevents deleting critical paths would do it.

https://github.com/andreafrancia/trash-cli

coldtea 16 hours ago | parent | prev | next [-]

At least one guy had their ~ rm -rf'ed.

https://old.reddit.com/r/ClaudeAI/comments/1pgxckk/claude_cl...

ra120271 16 hours ago | parent | prev | next [-]

When approving actions "for this project" I actively monitor .claude\settings.local.json

as

"Bash(az resource:)",

is much more permissive than

"Bash(az resource show:)",

It mostly gets it right but I instantly fix the file with the "readonly" version when it gets it too open.

foreigner 11 hours ago | parent | prev | next [-]

I caught Claude using docker (running as root) to access files on my machine it couldn't read using it's user.

kaydub 14 hours ago | parent | prev | next [-]

It feels like most people are exposing how wild west their environments are.

MattGaiser 16 hours ago | parent | prev [-]

Claude has twice now thought that deleting the database is the right thing to do. It didn't matter as it was local and one created with fixtures in the Docker container (in anticipation of such a scenario), but it was an inappropriate way of handling Django migration issues.