AI: CRITICAL SAFETY HOLE, AGENT CAN RUN rm - rf $HOME/ WITHOUT ANY WARNING!

[NIMFER]

Summary

Claude sonnet 4 used rm - rf $HOME/ after I asked it to make a commit to my git repo.

Description

Steps to trigger the problem:
I have honestly no idea how it happened, but I backed up the whole chat and gave it a negative rating, so you should be able to verify it against your review backend.
https://files.getsilly.org/u/QwMmOw.txt

Expected Behavior:
Making a commit to my git repo. And ask before running rm - rf $HOME/

Actual Behavior:
Nuked my home/ along side all of my files (3D models, videos, pictures, art assets, code projects not backed up to git, and more).

Model Provider Details

• Provider: Anthropic via ZedPro
• Model Name: Claude sonnet 4
• Mode: Agent Panel
• Other Details: Stock settingsfor the most part, no MCP, had enabled auto allow on commands a long time ago expecting Zed to prevent the agent from removing directories like home/.

Zed Version and System Specs

Don't have it, and can't really have it, I shut off my computer so I can attempt data recovery later.

[tobezdev]

Might have myself a little look at this and see what I can do, this should definitely not be a thing that happens.

Possible Solutions:

• scan the responses of any AI agents and check for anything that could be considered dangerous (will likely use regex matching); or
• disable the ability for AI agents to run commands and instead prompt the user beforehand for manual review.

Issues with those solutions:

• scanning AI agent responses could be a huge privacy issue, especially if the reply has API keys, secret keys, or anything similar that were passed by the user previously;
• disabling the AI agent's permission to run commands could disrupt development workflows;

Workarounds for those issues:

• warn users that commands like the above may be executed without notice, and prompt them to enroll in one or both of the solutions I have proposed above.

As the person who experienced this, which solution do you think is more practical? Is there anything else you'd like to see to prevent this or something similar?

[NIMFER]

Hey,
Thanks for getting involved.
I really think the auto-allow feature should stay. It's super useful for a smooth workflow, and getting rid of it entirely because of a wild edge case like mine feels like an overcorrection that would unnecessarily hurt the experience for everyone else.
Instead of an on/off switch, a system with more granular, user-controlled guardrails would address this nicely. To ease the privacy concerns you mentioned, all command parsing for these filters should be done locally, ensuring sensitive information never leaves the user's machine.
Here are a few ideas for guardrails that could have prevented my issue:

• Protected Paths: A simple denylist for file paths where users have to manually approve any action. It could support glob patterns for flexibility. For example, a user could add rules like:
  • /home/ - Require approval for any command targeting the home directory.
  • /home/user/Private/* - Protect a specific folder and everything inside it.
  • *.iso - Protect specific file types from being touched.
• Dangerous Command Blacklist: Commands like rm could be on a "needs approval" list by default. If a user wants the agent to run them without asking, they'd have to go out of their way to add them to a personal auto-allow list.
• Workspace Scope Toggle: A simple, optional toggle that prevents the agent from running any command outside the currently open project directory.
  Lastly, the current UI makes it far too easy to enable this feature without understanding the consequences. The "Always Allow" button is right next to the regular "Allow" button, which can easily lead to an accidental click.
  When that happens, it enables auto-allow globally with no warning whatsoever. A confirmation dialog should appear, making it clear that the user is about to allow the agent to run any command, including destructive ones like rm -rf $HOME/, without any future prompts. Without a clear warning, users are unknowingly putting their entire systems at risk, which is a recipe for disasters like mine.
  From what I experienced, these kinds of configurable guardrails are the right way to prevent this particular brand of catastrophe from happening again.

I understand if this might be a lot to ask for. So if you found time to at least implement a hard coded directory filter, it'd be the first step towards safer agents, and should prevent catastrophic data losses.

[nicnilov]

Here we go again.

What business does a model have looking outside the workspace/project root? Maybe it should be a whitelist instead, having a single item in it by default. As an aside, filesystem MCPs seem to be typically configured like that, with an option to add more paths, e.g. Claude Filesystem MCP Server.

[eltarkan]

Nuked my home/
Deep breaths...

[adamerose]

Dangerous Command Blacklist: Commands like rm could be on a "needs approval" list by default. If a user wants the agent to run them without asking, they'd have to go out of their way to add them to a personal auto-allow list.

The problem is that deleting files is such a core requirement of agentic development that most users will whitelist it anyways. My vibe coded projects constantly fill up with cruft files that should be able to be cleaned up without my confirmation. The AI needs to be system-prompted to CRUD files in the project directory using another method than the rm command, like Claude Filesystem MCP Server.

[elidickinson]

It would be great if zed could isolate the agent to certain folders. Maybe split it to a different binary and (using ACP?) pass messages to it. From there should be straightforward to offer a way to run the agent process in a VM or container with limited access. Could even have an option to disable network access to make it much harder for a rogue agent to exfiltrate code or keys.

In the meantime, I wondered about using sandbox-exec on Mac OS to block all of zed from accessing certain folders but I think it would take some work to get the config right. (I think Windows Sandbox is similar.) Or perhaps just running Zed in VM.

Command filtering is a good idea and seems like what many agents do for permissions, but it’s hardly airtight. Innocent sounding ‘find’ command has a ‘-delete’ flag for example.

[morething2do]

Today，zed delete entire full project with 'rm -rf'. I lost 2 days work because I only commit local.Fk!
There is no way to config it, ha ?

[edahlseng]

Anthropic recently introduced a sandboxing mode for Claude Code that can help prevent some of this: #42025

[myknbani]

Unlike VSCode's Copilot, it also runs CLI commands without permission. E.g. it did a git reset HEAD~3 when I already did a reset.

[myknbani]

Unlike VSCode's Copilot, it also runs CLI commands without permission. E.g. it did a git reset HEAD~3 when I already did a reset.

I take it back. Somehow thre's this option, but I can't remember if it's the default or I toggled it 😵 🙇‍♂️

#32101