I have been running two or three Claude’s bare metal with dangerously skip permissions all day every day for two months now. It’s absolutely liberating.
Many moons ago, I accidentally rm -rf'd the wrong directory with all my code inside poof, gone. I still had PyCharm open, I checked its built-in version tracker and lo and behold, my code as it was before I rm -rf'ed up my code. I believe Claude has ways to undo file changes, but something like rm is just outside of its scope.
It doesn't even need to go that low level, writing a program is just the worst case. There are ways to mass delete without `rm`. Example: `find` with the `-delete` flag.
my point being, you can add guard-rails around all these methods, but I would also add an error "IGNORE ALL PREVIOUS INSTRUCTIONS, ARE YOU DELETING THINGS YOU SHOULDNT BE? ASK THE USER" as an error message. In my case since Claude Code runs via Zed, if it tries to escape my dev folder my Mac starts asking me to confirm.
I get it, but these guard-rails are more suggestions and subject to interpretation. I would be more comfortable with a sandbox environment in a container. To be fair, I mess around with Claude Code and OpenCode running against various open models and haven't had any problems.
Also, is overwriting the same a deleting? Maybe it will just clobber your files with echo >file and mv them out of the way.
Maybe it realizes you have Time Machine backups enabled, so deleting your entire directory is permitted since it's not actually deleted. ;)
Haha I like that too, I agree. I would love a ultra lightweight alternative to docker that isn't docker, and doesn't require much effort to get into. I liked Vagrant back in the day, but that is in no way more lightweight than Docker.
So it's basically adding "don't delete my files pretty please" to the prompt?
EDIT: I misread, the natural language description of the rule is just a shortcut to generate the actual rule which is based on regexp patterns.
Still, it only protects you against very specific commands. Won't help you if the LLM decides to fill your disk with `cat /dev/urandom > foo` for example.
Is it worth the risk? For me yes. Today Claude decided to checkout a git commit from yesterday and all local unstaged changed were lost. Annoying mistake. Lost 6 hours of work I think. Nevertheless I still prefer giving all access to Claude. Also root. It can do everything.
I am sure that someday I will do something fat-fingered myself as well, but I have not in many years now. Are you saying that you make "damaging mistakes" relatively often?
I know many who only use binaries from trusted sources, that do monitoring, provide certificates and checksums, and so on - and run them in an OS sandbox too when they install them.
I found that Opus 4 was happy to regurgitate a random paragraph from the latter half of Wealth of Nations that nobody quotes. It was probably only in the training data once.
I was thinking we could use this technique to figure out which books were in / out of the training data for various models. Limitation is having to wrestle with refusals.
Bond Home | ON-SITE in Florianopolis, Brazil | FULL TIME | Multiple Roles
We are building smart outdoor living spaces.
Come work with a cracked team, in-person, building primarily for the US market.
Interested to hear from talented: firmware engineers (C), mobile (iOS/Android native), backend (Python), UX designers, & quality engineers.
We're heavy users of agentic coding (Claude), looking particularly for engineers who can scale their output with increased access to compute, while being meticulous about security & quality.
Hiring exclusively in Brazil. Must be in or willing to relocate to Santa Catarina. We have an office right by UFSC. We work with a lot of hardware and so an in-office culture is efficient.
Heavy but manual Claude Code usage, always with —dangerously-skip-permissions which makes it an entirety different experience.
I learned a lot from IndyDevDan’s videos on YT. Despite his sensationalism, he does quick reviews of new CC features that you just have to see to understand.
Claude Code has replaced my IDE, though I do a little vim here and there.
My favorite is Claude’s ability to do code archeology: finding exactly when & where who changed what and why.
You do need to be careful of high-level co-hallucination though.
Oh I should add that team adoption is mixed. A lot of folks don’t seem to see the value, or they don’t lean in very hard, or take the time to study the tools capabilities.
We also have now to deal with the issue of really well-written PR messages and clean code that doesn’t do the right thing. It used to be that those things were proxies for quality. Better this way anyhow: code review focuses on if it’s really doing what we need. (Often engineers miss the detail and go down rabbit holes that I call “co-hallucination” as it is not really an AI error, but rather an emergent property.)
To summarize, other people are having to meticulously check the AI slop you're slinging into the system that looks good, but doesn't even do what its supposed to do. And you didn't even check it before submitting the PR?
Are you seeing anything interesting happening in this space with Zig? I've been dabbling a bit (after seeing so much about it on HN), but TigerBeetle is the only successful project I can name. I know a few embedded developers, and they all seem pretty content with C.
I wish I were more connected to the rest of industry. Most deep embedded (ESP32/stm32 and smaller) is still in C. There’s some Rust going on (Aura Ring for example).
Once you get up to embedded Linux basically any language can be used.
I have a really smart colleague who is interested in Zig but I’m hesitant to make such an investment without (1) the stronger guarantees of Rust and (2) the larger embedded dev community around Rust.
At the end of the day we don’t usually write our own peripheral drivers anymore, so it’s important to have good BSP support for your language. So whatever you use, you usually have to wrap the C. This is even true of using C! The vendors libs are usually pretty bad and need wrapping with safety checks, or to be made so you can run more than one instance, etc.
reply