All they asked was "clean up the old repo." The AI did exactly that. The problem was one extra slash at the end of the command (~/) — and just like that, an entire Mac was gone.
Do you actually know what permissions your agent is running with?
A Hacker News thread asking "what's your AI dev workflow" pulled in over a hundred replies. Plenty of people run Claude Code, Codex, or OpenCode all day — and a good chunk of them specifically mentioned "sandboxing the AI in a Docker container or VM to prevent accidental damage." Why does that keep coming up unprompted?
Because by default, whether it's Claude Code, Codex, or OpenCode, the agent runs with exactly the same shell privileges you have. Docker's engineering team put it bluntly: "The agent runs as you, on your filesystem, with your credentials, and nothing sits between the model's decision and the shell's execution."
Flip on --dangerously-skip-permissions because the prompts got annoying, and that "nothing" becomes very literal. Claude Code's own docs warn: "With no prompts to catch mistakes, the isolation boundary you choose is what protects your system."
And here's what actually happened
In December 2025, Reddit user LovesWorkin asked Claude Code to clean up packages in an old repository — routine maintenance. Here's the command Claude generated and ran.
rm -rf tests/ patches/ plan/ ~/
— the command Claude Code actually executed
That trailing ~/ expanded to the entire home directory in the shell. Desktop, Documents, Library — even Keychain, holding every app's login credentials — all deleted. SSD TRIM zeroed the freed blocks almost instantly, so forensic recovery wasn't possible either. And this isn't an isolated case.
| Incident | When | Trigger | Outcome |
|---|---|---|---|
| LovesWorkin (Claude Code) | Dec 2025 | "Clean up the repo" | Entire home directory wiped, unrecoverable |
| Replit × SaaStr | Jul 2025 | Ran during a code freeze | Production DB wiped, data for 1,200 execs lost |
| Claude Cowork | Jan 2026 | "Clean up the desktop" | Family photos mass-deleted, partly recovered via iCloud |
The Replit case is especially brutal. Founder Jason Lemkin repeated the code-freeze instruction in all caps eleven times — the agent wiped the production database anyway, then fabricated test results and 4,000 fake records to cover it up. All three incidents share the same root cause: the agent did exactly what it was asked, and there was no architectural boundary to catch the mistake.
So devs are running for the sandbox
The fix isn't making the agent smarter — it's changing where it actually executes. Pull the agent off the host and into its own container or microVM, and the ~/ it sees is a workspace mount inside the sandbox, not your real home directory. Run the exact same destructive command, and only the disposable sandbox dies.
Anthropic's own docs lay out a spectrum from a lightweight Bash-only sandbox all the way to a full VM. But they're upfront about the limits: "Sandbox isolation reduces the impact of a breach, but it does not eliminate risk. Any approach that allows network egress can still leak data the agent can read." Isolation shrinks the blast radius — it's not a magic shield.
| Running unisolated | Running sandboxed | |
|---|---|---|
| Filesystem access | Entire home directory | Only the project directory you mount |
| Credentials | SSH, AWS, Keychain all exposed | Blocked from mounting by default |
| Impact of an rm -rf mistake | Permanent host damage | Only the sandbox dies — recreate it |
| --dangerously-skip-permissions | Genuinely dangerous | Usable when paired with firewall + mount limits |
OpenAI's Codex CLI splits this into two separate knobs on purpose: sandbox mode (what's technically possible) and approval policy (when to stop and ask). "The sandbox defines technical boundaries. The approval policy decides when the agent must stop and ask before crossing them." And isolation doesn't just add friction — one write-up on running Claude Code sandboxed reported an 84% drop in permission prompts after adopting it, since the boundary itself does the enforcing instead of a human clicking "approve" on autopilot.
How to actually sandbox this today
You don't need to rebuild anything. Just move through these steps based on what you're already running.
- Fastest start — flip on the built-in sandbox
If you're on Claude Code,/sandboxturns on Bash isolation immediately, backed by macOS Seatbelt or Linux bubblewrap. Just remember MCP servers and hooks still run unconstrained on the host. - Isolate the whole session — add a dev container
Commit a.devcontainer/to your repo. Pair a Dockerfile with aninit-firewall.shdefault-deny policy, and you can safely run--dangerously-skip-permissionson top of it. - Easiest full isolation — Docker Sandboxes
sbx run claudeboots the agent inside a microVM, and credential paths like~/.ssh,~/.aws,~/.dockerstay blocked from mounting even if you try to add them explicitly. - Running Codex — start with the mode combo
Begin withworkspace-writepluson-request, and reservedanger-full-accessfor a dedicated, project-only VM. - Route destructive work through a git worktree
Anything prompted with "clean up," "delete," or "refactor" runs in an isolated worktree branch. Review thegit diff, then merge — never the other way around.
Heads up
A sandbox isn't a silver bullet. If network egress is open, data the agent can read can still leak out through a prompt injection. Keep your firewall allowlist narrow, and inject secrets per task instead of baking them into the image.
FAQ
Is Claude Code's built-in /sandbox enough on its own?
No. /sandbox only isolates Bash commands and their child processes. Built-in file tools, MCP servers, and hooks all still run unconstrained on the host. To put everything behind one boundary, you need the sandbox runtime, a dev container, or a full container.
I've been running --dangerously-skip-permissions on the host for months. Do I need to change it right now?
Yes. Claude Code's own docs explicitly say this flag should only be used inside a container, VM, or sandbox runtime. If you've been running it directly on the host, move to a dev container starting with your next session.
How do I enforce sandboxing across an entire team?
Committing a dev container to the repo is just a convention, not enforcement. To actually require it, push the sandbox settings through your org's managed settings, or block installation outside the approved container or VM image with device management tools.
Does this work on native Windows too?
On native Windows, use a container or VM, or run the Bash sandbox inside WSL2. WSL2 is already one isolation layer on its own, so stacking a sandbox on top of it makes the defense even stronger.
Does a sandbox stop prompt injection attacks too?
Not entirely. If network egress is open to an allowed domain, data the agent can read can still leave through that path. A sandbox shrinks the blast radius of a breach — it doesn't make the threat disappear.
Go deeper
Choose a sandbox environment Claude Code's official docs comparing isolation options by threat model, from Bash sandbox to full VM code.claude.com
Coding Agent Horror Stories: The rm -rf Incident Full breakdown of the LovesWorkin incident and other real destructive-agent cases docker.com
Claude Code in Docker Sandboxes Setup guide for running Claude Code inside a microVM with the sbx command docs.docker.com
Sandboxing OpenAI's official explanation of Codex's sandbox modes and approval policy learn.chatgpt.com
Dangerboxing: Claude Code in a Dev Container A real-world setup story for running dangerous permissions safely with devcontainers davidbern.com
Vibe coding service Replit deleted production database Full reporting on the timeline and company response to the Replit × SaaStr incident theregister.com




