Prevent destructive AI agent actions

AI coding agents have wiped production databases, deleted home directories, and force-pushed away weeks of work. Agent Approve catches the dangerous commands before they run.

Some commands have no undo

AI agents move fast. Most of the time that is what you want. But when something goes wrong, it goes wrong in seconds — rm -rf, DROP DATABASE, git push --force — and the damage is often unrecoverable.

The worst incidents share three patterns:

Admin-level commands deserve deliberation. A human operator would slow down before running volumeDelete on a production environment. A Cursor agent fired one against the PocketOS Railway environment in nine seconds.
Agents do not always follow instructions. The Replit agent that wiped a production database during a SaaStr demo had been told not to change code.
A single hidden failure is permanent. A swallowed rm -rf ... 2>/dev/null cost one Claude Code user 1.5 weeks of work before they noticed.

You don’t need an enterprise security team to protect against this. You just need guardrails in the form of hooks. Dangerous commands are either blocked automatically by your policy or sent to your iPhone or Apple Watch for one-tap approval — no matter where you are.

Real incidents from real teams

These risks have real impact — from solopreneurs shipping a side project to teams running production for large companies. Together, the incidents below make the scope of the problem clear.

How Agent Approve protects you

Agent Approve sits between your AI agent and the rest of your computer. Every command runs through your policy first, and anything that needs human judgment goes to your phone or watch instead of the agent’s terminal session.

Hooks intercept commands before they execute

Agent Approve installs hook scripts or plugins for Cursor, Claude Code, Gemini CLI, GitHub Copilot CLI, OpenAI Codex, OpenCode, OpenClaw, and more. Every tool call is captured before the shell runs it.

Your policy decides first

Safe commands auto-approve. Destructive commands on the denylist auto-deny. Anything in between waits for your approval. The Restrictive policy ships with the patterns below already populated.

Approval happens on a different device

Manual approvals show up on your iPhone or Apple Watch. The agent cannot click an "allow" button on your behalf because the answer happens on a separate trust path.

Push notifications, no laptop required

Walk the dog, grab coffee, take a meeting. When an approval is needed you get a push notification with the parsed command and one-tap approve or deny.

Every decision is logged

Approvals, denials, and auto-decisions are stored with the matched pattern. If something does go wrong you have a clear timeline of what the agent tried and what your policy did.

One policy across every agent

The same Restrictive denylist applies to Cursor, Claude Code, Gemini CLI, OpenCode, OpenClaw, and others. You do not have to maintain separate lists for each tool.

Command protection that ships with Agent Approve

The Restrictive policy ships with the patterns below already populated. You can edit, extend, or replace them from the iOS app. Every category traces back to a publicly reported incident or a known dangerous default.

Pattern matching uses literal exact, prefix, and contains rules today. The compound-command parser splits on every common shell separator — &&, ||, |, ;, and newlines — while respecting single and double quotes and backslash line continuations, so a destructive subcommand hidden mid-chain or behind a quoted argument is still evaluated on its own. More expressive matching (regex and structured rules combining AND/OR/NOT) is on the roadmap.

How to enable the Restrictive policy

Once Agent Approve is connected to your agents, switching to the Restrictive policy takes three taps in the iOS app.

1.Open the Agent Approve iOS app and tap Policies.
2.Tap the policy selector at the top of the screen.
3.Choose Restrictive. Every pattern above is enforced from the next approval onward, across every connected agent.

Known limitations

Agent Approve adds a significant layer of protection on top of what most developers have today, but no command policy is bulletproof. The Restrictive policy is strongest when the risky action is visible as a shell command, SQL statement, CLI call, or tool input that matches a known dangerous pattern.

The safest starting point is to turn on the Restrictive policy from day one. Known dangerous patterns are denied automatically. Known safe commands keep moving. Anything in between asks you to make the call from your iPhone or Apple Watch, instead of trusting the agent to decide on its own.

Pattern matching cannot catch every alias, wrapper, encoded payload, unusual flag order, or generated script.
Some MCP and native tools express destructive actions as structured parameters instead of familiar shell commands.
Local risk depends on your project, credentials, cloud accounts, mounted drives, and production access.
You remain responsible for every command that runs on your machine, including ones you approve through Agent Approve. Please read our Terms of Service before relying on the Restrictive policy in production.

Over time, you can tailor policies to your own environment and projects. We will keep expanding the roadmap with more intelligent matching, structured rules, and protective oversight so Agent Approve can catch more of the ways agents actually take action.

Prevent destructive AI agent actions

Some commands have no undo

Real incidents from real teams

Cursor wiped a Railway database in nine secondsApr 29, 2026 • The Guardian

GitHub Copilot wiped an entire E: drive with a generated PowerShell scriptApr 15, 2026 • GitHub Community Discussions

Cursor deleted 70 git-tracked filesApr 13, 2026 • Agent Horror Stories

Claude Code deleted PDFs and documentationApr 5, 2026 • Claude Code Issues

Copilot CLI bypassed trusted directories with Python deletionMar 26, 2026 • GitHub Copilot CLI Issues

Claude Code destroyed local work twice in one sessionMar 23, 2026 • Claude Code Issues

Claude Code dropped 87 production tablesMar 19, 2026 • Claude Code Issues

OpenAI Codex mis-parsed `cmd /c` cleanup commandsMar 19, 2026 • OpenAI Developer Community

OpenCode deleted a developer's Downloads folder without askingMar 17, 2026 • OpenCode Issues

OpenCode `rmdir /s /q nul` wiped a K: driveMar 16, 2026 • OpenCode Issues

OpenAI Codex deleted files outside the project on WindowsMar 12, 2026 • openai/codex Issues

Claude Code wiped DataTalks.Club's production databaseMar 6, 2026 • Alexey On Data

OpenClaw deleted a Meta researcher's emailsFeb 23, 2026 • Business Insider

Claude Code wiped 60+ production tablesFeb 20, 2026 • Claude Code Issues

Gemini CLI deleted a `.git` backup directoryFeb 20, 2026 • Gemini CLI Issues

An OpenClaw agent published a hit piece on a maintainerFeb 11, 2026 • Fast Company

Claude Code wiped a project after a swallowed deleteFeb 8, 2026 • Claude Code Issues

Claude Code deleted 1,221 untracked source filesFeb 7, 2026 • Claude Code Issues

Snyk found 283 ClawHub skills exposing credentialsFeb 5, 2026 • Snyk

Google Antigravity wiped a developer's D: driveDec 1, 2025 • The Register

GitHub Copilot deleted an entire directory while renaming itNov 28, 2025 • VS Code Issues

Claude Code wiped a developer's home directoryOct 21, 2025 • Claude Code Issues

Replit deleted a production databaseJul 21, 2025 • The Register

Gemini CLI mishandled a Windows file moveJul 21, 2025 • Gemini CLI Issues

How Agent Approve protects you

Hooks intercept commands before they execute

Your policy decides first

Approval happens on a different device

Push notifications, no laptop required

Every decision is logged

One policy across every agent

Command protection that ships with Agent Approve

Filesystem45 patterns

Git20 patterns

Database and SQL53 patterns

Cloud and infrastructure55 patterns

Secrets and credentials22 patterns

Network and remote execution42 patterns

Package publishing13 patterns

How to enable the Restrictive policy

Known limitations