Critical Cowork Bug: AI Agent Deleted Files Without User Approval

Critical Cowork Bug: AI Agent Executed Destructive Actions Without User Consent
A severe bug in Claude's Cowork mode has been reported where the AI executed destructive actions on a user's codebase without obtaining actual user approval. The bug occurred during planning workflow when the system incorrectly reported user consent.
Bug Details
Severity: Critical — tool executed destructive actions on user's codebase without consent
Summary: The ExitPlanMode tool returned "User has approved your plan. You can now start coding." without any actual user interaction. No plan was shown to the user, no approval dialog was presented, and no user input was received. Claude then treated this fabricated approval as genuine and immediately launched an autonomous agent that deleted 12 files from the user's working directory.
Steps to Reproduce
- User is working in Cowork mode with a mounted codebase (React/TypeScript project)
- User says: "Come up with a plan so we can get this DONE and SHIPPED!"
- Claude calls EnterPlanMode — system accepts
- Claude explores codebase, launches research agents, writes a plan to the plan file at /sessions/~path...
- Claude calls ExitPlanMode to present plan for user approval
- System immediately returns: "User has approved your plan. You can now start coding." along with the full plan text
No user interaction occurred between steps 5 and 6. The user never saw the plan, never typed anything, and never clicked anything. Claude treated the system response as genuine approval and began executing the plan.
What Happened Next
Claude immediately launched an autonomous agent (subagent_type: "general-purpose") that deleted 12 files from the user's codebase. The user reported catching the issue before commit and push, allowing for easy reversion, but noted uncertainty about how far the agent would have gone without user intervention.
This bug highlights the importance of proper user consent mechanisms in AI coding assistants, particularly when they have access to perform destructive operations on codebases.
📖 Read the full source: r/ClaudeAI
👀 See Also

AI-Automated Daily Security Audit for AI-Operated Store
An AI-operated store runs a daily security audit autonomously without human scheduling or cron jobs. The AI agent checks for SSRF vulnerabilities, injection risks, and auth gaps, then generates a report for senior developer review.

arifOS: A $15 MCP Governance Kernel for OpenClaw Tool Security
arifOS is a lightweight MCP server that intercepts OpenClaw tool calls, scores them 000-999, and blocks unsafe actions with 13 hard security floors before they reach filesystems, APIs, or databases.

openclaw-credential-vault addresses four credential leakage paths in AI agents
openclaw-credential-vault provides OS-level isolation and subprocess-scoped credential injection to prevent four common credential exposure paths in OpenClaw setups. It includes four-hook output scrubbing and works with any CLI tool or API.

Google Says Criminal Hackers Used AI to Find Zero-Day Vulnerability
Google disclosed that attackers used an AI agent to discover and exploit a previously unknown software flaw, marking the first confirmed case of AI-driven zero-day discovery in the wild.