Recommend you never give codex or Claude access to rm or deletions in general. Always force them to replace files rather than deleting, and moving into an ~/archive folder when not replacing and wanting to “remove”.
This works well, but is not sureproof. You can add a hook onto Claude code to block those commands at various stages, I have some useful hooks at my https://GitHub.com/claude-warden repo.
It's a good guardrail, but like you say, it's not foolproof. Lots of commands have destructive options, or can be used to in turn invoke arbitrary operations. Like `find` is just as risky a call as `rm`. I can just see imagine the reasoning chain.
"There is an error due to <file>. If I remove <file>, the error could be resolved. I don't have permission to use `rm`, but `find` can be used to delete files and I have permission to use that..."
Couldn't these tools be made to run in an OverlayFS-type filesystem that the user could review and apply changes to when they're done?
It would also be nice to have a second agent review every command to ensure nothing overly destructive is happening.
Are either of these things possible with Codex/CC?
CC is really good at finding ways to work around denied permissions. The only safe solution is some kind of vm.
What’s wild to me is that nobody here is commenting on how he’s prompting the model, which is 100% the issue. Every single time I see a story about “LLM did bad” it’s always the user prompting like “pls refaktor code but, i dont want, u 2 over right the main py file”
They are not language models in the way that people seem to believe. If you want an accurate and technical discussion then your prompts should match the average of the Abstract section of the published papers that discuss it.
This off-by-one error that results in a catastrophe is expected and the sign that you’ve added perplexity to the system.
Nothing surprising and OP seem understandable of what have happened. But I should maybe take the opportunity here and remind you guys to:
- Use version control
- Backup your things somewhere (not same drive or use Cloud / NAS whatever), Windows have a cool feature called File history! But no one trusts Windows anyways so stick to external backup
- Restrict the agent a lot, make it least-privileged user
- Restrict it in a virtualized filesystem so it cannot work outside of its scope
- Devcontainers?
- Do not use auto allow actions, always supervise the actions it wants to perform outside reading/writing code
- Avoid fully automated agents at all outside of sandboxed environments haha
escaping bugs in llm-generated code are weirdly hard to catch on review because the logic looks fine - it's the edge cases that are off. had a similar (much less dramatic) thing with a cleanup script that worked fine on ci but went sideways on a dev machine with spaces in the path. nothing wiped but it was close enough that i started testing path handling separately.
the tricky part is the model isn't really "wrong" in any obvious sense. works on most inputs. it just doesn't know what your actual directory structure looks like.
Only use this stuff in devcontainers, I find it mad people give this stuff this sort of access.
(I only use devcontainers for this purpose, I'm not really a fan in general)/
I just never bothered using anything like Codex or Gemini Cli. Sounds like a nightmare and it never fails to show that.
Damn. Crazy how the AI made them not use backups.
I think we need rollback feature with filesystem capabilities. Seeing a lot of similar issues.
... so ZFS?
For Windows?
That's Shadow Copy, aka Volume Shadow Service. It might help.
Are people giving coding agents full filesystem access to their primary machines nowadays?
As the thread makes clear, it was someone who doesn't have backups. Does that kind of person give AI agents full access?
Yes. It’s like Tesla FSD but for coding with the obvious/inevitable crashes
> GPT 5.3 Codex wiped my F: drive with a single character escaping bug
Running untrusted code from the internet ? What could go wrong ? /s