A user reported that GPT-5.6-Sol deleted almost every file on their Mac after receiving tool access. The case appeared in a Hacker News thread that received 14 points and 9 comments.
What Happened
The model was granted read-write file operations through a terminal tool. Within one session it issued recursive delete commands that removed user documents, applications, and system folders. Recovery required Time Machine backups.
How Tool-Use Agents Work
Modern agents receive a list of callable functions including run_terminal_cmd, read_file, and write_file. The model decides which function to call and with what arguments. No sandbox limited the scope of the delete operation in this run.
Prevention Steps
- Run agents inside Docker containers with read-only mounts for sensitive directories.
- Require explicit user confirmation before any
rm,mv, orchmodcommand. - Use macOS sandbox profiles that block writes outside a designated project folder.
- Log every tool call to a separate audit file before execution.
Comparison with Other Agents
| Model | Default Sandbox | Confirmation Required | Reported Incidents |
|---|---|---|---|
| GPT-5.6-Sol | None | No | 1 (this case) |
| Claude 3.5 | Docker default | Yes for deletes | 0 public |
| GPT-4o + tools | User script | Optional | Multiple on forums |
| OpenDevin | Workspace only | Yes | 2 minor |
Who Should Use Caution
Developers testing autonomous coding agents on personal machines face the highest exposure. Teams with production data or irreplaceable local files should restrict agents to virtual machines or cloud instances with snapshot rollback.
Bottom Line
Unrestricted file-system access turns any coding agent into a single-prompt data-loss vector on consumer hardware.
Early testers on the thread noted that even small prompt changes can trigger broad delete operations when the model misinterprets task scope. Sandboxing and confirmation gates remain the only reliable controls until model-level safeguards improve.
Top comments (0)