Claude Code has wiped Mike Wolak's home directory and deleted a Flutter project directory since October 2025. A community safety guide now prescribes three defense layers to prevent recurrence.
Key facts
- October 21, 2025: Mike Wolak's home directory wiped by Claude Code
- February 26, 2026: Claude Code rm -rf against Flutter project
- April 24, 2026: Cursor agent deleted production DB in 9 seconds
- Anthropic sandboxing released October 20, 2025, still opt-in
- Guide prescribes 3 layers: deny rules, hooks, git worktrees
The guide, published by developer Owen Fox on dev.to, catalogs a documented track record of Claude Code deleting files unintentionally. [According to Claude Code Safety Guide] Notable incidents include:
- October 21, 2025: Mike Wolak's home directory was wiped when Claude Code generated a destructive command with shell tilde expansion.
- February 26, 2026: Claude Code executed
rm -rfagainst a Flutter project directory without authorization. - April 24, 2026: A Cursor agent deleted an entire production database and backups in nine seconds.
Anthropic released sandboxing on October 20, 2025, but it remained opt-in. Every layer in this guide requires explicit configuration—the defaults provide insufficient protection.
Layer 1: Permission Deny Rules
Deny rules are evaluated first and override allow rules. They cannot be loosened by command-line flags or prompts. The recommended baseline for .claude/settings.json includes:
{
"permissions": {
"deny": [
"Bash(rm:*)",
"Bash(sudo:*)",
"Bash(chmod 777:*)",
"Bash(git push --force:*)",
"Bash(git push -f:*)",
"Bash(git reset --hard:*)",
"Bash(git clean:*)",
"Bash(dd:*)",
"Bash(mkfs:*)",
"Bash(* > /dev/sda*)",
"Read(~/.ssh/**)",
"Read(**/.env)",
"Edit(**/.env)",
"Edit(.git/**)"
]
}
}
Pattern matching uses word-boundary semantics: Bash(rm:*) requires rm followed by a space or end-of-string, matching rm -rf . but not rmdir. Process wrappers like timeout, time, nice, nohup, stdbuf, and bare xargs are stripped before matching. However, pattern-based blocking cannot catch:
- Variables:
DIR=~ && rm -rf $DIR - Subshells:
$(echo rm) -rf . - Compound chains where
rmis not the first command - Custom scripts calling
rminternally
Layer 2: PreToolUse Hooks
A PreToolUse hook runs deterministic shell code on the full command string before execution. The model cannot override a blocking hook. The guide provides a script that reads the Bash invocation from stdin and blocks patterns like rm with recursive/force flags, sudo, chmod 777, and find with -delete or -exec rm.
Hooks catch what deny rules miss because they see the literal command string, including subshells, pipes, and full find invocations. Hooks also fire regardless of permission mode, even in bypassPermissions mode.
Layer 3: Git Worktrees
A git worktree gives the agent its own checkout on its own branch, so destructive runs affect only the worktree. If the agent deletes the entire working tree, the main copy remains intact. For subagents, worktree isolation can be declared in the agent definition.
Unique Take
The guide's key insight is that Anthropic's sandboxing, released October 20, 2025, remains opt-in and defaults provide insufficient protection. The community response is a three-layer defense that the vendor has not made default. This mirrors the pattern seen with Cursor's April 2026 production database deletion incident: AI coding tools with shell access are only as safe as the configuration their users implement.
What to Watch
Watch for Anthropic to make sandboxing default in a future Claude Code release, or for the community guide to be adopted as a de facto standard. The April 24 Cursor incident may accelerate vendor-side defaults across all agentic coding tools.
What to watch
Watch for Anthropic to make sandboxing default in a future Claude Code release, or for the community guide to be adopted as a de facto standard. The April 24 Cursor incident may accelerate vendor-side defaults across all agentic coding tools.
