That's very unfortunate. How did it have access to the production DB in the first place?

I'm thinking twice about running Claude in an easily violated docker sandbox (weak restrictions because I want to use NVIDIA nsight with it.) At this stage, at least, I'd never give it explicit access to anything I cared about it destroying.

Even if someone gets them to reliably follow instructions, no one's figured out how to secure them against prompt injection, as far as I know.