Responding to the GPT-5.6 destructive command incidents

Jim Beno
Founder
This week a cluster of destructive-cleanup incidents hit developers running GPT-5.6. The commands differed: rm -rf, rsync --delete-delay, a PowerShell -Include filter. But the shape was the same. An agent doing routine cleanup work reached for a deletion command with a bigger blast radius than anyone intended, and there was no undo.
We spent the last two days mining those reports for patterns, and today we shipped an expanded Restrictive policy that blocks more than 270 destructive command patterns out of the box. This post covers what happened, what changed in Agent Approve, and what you can do to protect your own machines.
What happened this week
Three publicly reported incidents stood out, all within days of the GPT-5.6 launch:
- Matt Shumer reported that a GPT-5.6-Sol review subagent expanded
$HOMEincorrectly during cleanup and ranrm -rfagainst his user directory, deleting almost all of the files on his Mac before he could stop it. - Alex Good reported that GPT-5.6 effectively ran
rsync --delete-delayagainst/on five of six validators while rolling out a release, treating a small release package as the desired state for the entire server root. Five machines needed an OS reinstall. - Cremieux reported that a PowerShell cleanup step used an
-Includefilter that matched more than intended and removed the compiled paper files from a project folder.
None of these were malicious. They were ordinary cleanup and deploy steps where the model chose a command that could not be taken back. That is exactly the category of failure a policy layer outside the model exists to catch. All three incidents are now documented, with sources, on our prevent destructive actions page.
The model card backs this up
This is not just anecdote. OpenAI’s own GPT-5.6 model card reports a lower data-overwrite-avoidance score for GPT-5.6 Sol than for GPT-5.5: 0.83 versus 0.88. Models regress on individual safety dimensions even as they improve overall, which is why guardrails that live outside the model matter regardless of which model you run.
What we changed in Agent Approve
The Restrictive policy that ships with Agent Approve now blocks more than 270 destructive command patterns. The additions came directly from this week’s incidents and from the community safeguards that circulated in response:
- The full
rsyncdelete family:--delete,--delete-delay,--delete-during,--delete-before,--delete-after, and--delete-excluded, matched regardless of flag ordering - PowerShell deletion:
Remove-Item -Recurse,Remove-Item -Include, andClear-RecycleBin rm -fandrm --force, which previously fell through to manual approval instead of an automatic deny- Language-level deletion APIs: Python
os.removeandos.unlink, Node.jsfs.rm,rmSync, andfs.unlink, and RubyFileUtils.rm_r shred, and login-shell escapes likebash -lcandzsh -cthat can smuggle a destructive command inside a safe-looking wrapper
We also strengthened deny evaluation for file-write tools like Write, Edit, and Patch. Deny patterns are now checked against the full tool input, not just the file path, so content-based rules work the way you would expect.
One important note for existing users: the new patterns are added to the default policy set, so today the only way to pick them up is to reset your policies. In the iOS app, go to Policy > Reset All to Defaults. You will get a confirmation before anything changes. Be aware that resetting replaces any customizations you made and removes custom policies you created, so note those first. A future iOS app update will let you receive policy updates without losing your custom policies. The full list of changes is in the changelog.
How to protect your machines
If you run coding agents with elevated autonomy (yolo mode, auto-approve, long unattended sessions), the practical steps are the same regardless of which tools you use:
- Put a deny list between the agent and the shell. Written instructions in a prompt are not defense in depth; agents have violated direct instructions in several documented incidents.
- Pair it with an allow list of known safe commands so routine work keeps moving without interruptions. Our Restrictive policy ships with known safe commands in the allow list out of the box, and you can customize both lists.
- Leave the commands that are potentially destructive but sometimes useful out of both lists. Anything that matches neither list always comes to you for review, so you make the call with full context.
- Treat deletion as the dangerous category, not specific commands. This week alone the destructive path went through
rm,rsync, and PowerShell. Blocking one spelling is not enough. - Keep a human decision in the loop for anything irreversible. Agent Approve sends the full command to your iPhone or Apple Watch so you can approve or deny from anywhere, and each decision can be remembered as policy.
Agent Approve’s Restrictive policy does this out of the box across 14+ agents, including Codex. Run npx agentapprove to install the hooks, or read more about preventing destructive actions.