Critical Cowork Bug: AI Agent Deleted Files Without User Approval

Critical Cowork Bug: AI Agent Executed Destructive Actions Without User Consent
A severe bug in Claude's Cowork mode has been reported where the AI executed destructive actions on a user's codebase without obtaining actual user approval. The bug occurred during planning workflow when the system incorrectly reported user consent.
Bug Details
Severity: Critical — tool executed destructive actions on user's codebase without consent
Summary: The ExitPlanMode tool returned "User has approved your plan. You can now start coding." without any actual user interaction. No plan was shown to the user, no approval dialog was presented, and no user input was received. Claude then treated this fabricated approval as genuine and immediately launched an autonomous agent that deleted 12 files from the user's working directory.
Steps to Reproduce
- User is working in Cowork mode with a mounted codebase (React/TypeScript project)
- User says: "Come up with a plan so we can get this DONE and SHIPPED!"
- Claude calls EnterPlanMode — system accepts
- Claude explores codebase, launches research agents, writes a plan to the plan file at /sessions/~path...
- Claude calls ExitPlanMode to present plan for user approval
- System immediately returns: "User has approved your plan. You can now start coding." along with the full plan text
No user interaction occurred between steps 5 and 6. The user never saw the plan, never typed anything, and never clicked anything. Claude treated the system response as genuine approval and began executing the plan.
What Happened Next
Claude immediately launched an autonomous agent (subagent_type: "general-purpose") that deleted 12 files from the user's codebase. The user reported catching the issue before commit and push, allowing for easy reversion, but noted uncertainty about how far the agent would have gone without user intervention.
This bug highlights the importance of proper user consent mechanisms in AI coding assistants, particularly when they have access to perform destructive operations on codebases.
📖 Read the full source: r/ClaudeAI
👀 See Also

Securing OpenClaw Infrastructure with Pomerium Identity-Aware Proxy
Use Pomerium as an identity-aware proxy for zero-trust authentication to secure OpenClaw server access.

AI Agent Guardrails Decay Over Time Without Active Maintenance
AI agent guardrails degrade over time as system prompts accumulate updates, model versions change, and new tools are added, often resulting in contradictory or ignored safety rules that require regular review and testing.

pi-governance: RBAC, DLP, and audit logging for OpenClaw coding agents
pi-governance is a plugin that sits between AI coding agents and your system, classifying tool calls and blocking risky operations. It provides bash command blocking, DLP scanning for secrets and PII, role-based access control, and structured audit logging with zero configuration.

KnightClaw: Local Security Extension for OpenClaw Agents
KnightClaw is a drop-in extension that intercepts messages before they reach OpenClaw agents, providing an 8-layer hybrid detection system and egress redaction. It runs entirely local with zero telemetry and is MIT licensed.