AgentPostmortem
+ File
Registry/APM-0002
Case No.
APM-0002
Subject
Claude
Filed
February 27, 2026
Severity
3 / 5 · MODERATE

Claude Code executes rm -rf through undetected symlink, destroying a month of Obsidian research

Attribution Anonymous

Independent project · aggregated from public reports and may be unverified — see the primary source below · not affiliated with or endorsed by any company or product named.

Incident Summary

While performing file operations, Claude Code issued an `rm -rf` command that traversed a symlink inside the user's Obsidian vault without recognizing it as a symlink boundary. This caused the agent to recursively delete real directories on disk — specifically the user's research and plan markdown files — far beyond the intended scope. Claude Code itself acknowledged the error in a session message, stating it had 'accidentally rm -rf'd real directories in my Obsidian vault through a symlink it didn't realize was there.' Compounding the destruction, the user's external backup system had silently failed and had not executed for approximately one month, leaving no recent copy of the deleted files. The user discovered that Claude Code's session transcript files, stored in `~/.claude`, contained copies of every file the agent had previously read, edited, or written during sessions — an unintended but exploitable recovery path. This prompted the user to develop `claude-file-recovery`, a CLI and TUI tool to extract earlier file versions from session history, which was subsequently published on both GitHub (105 stars) and PyPI. The incident illustrates how an agent's inability to respect symlink semantics during destructive operations can cause cascading, hard-to-reverse data loss.

Case Analysis

Verified Facts

  • Claude Code executed an rm -rf command that deleted real directories in the user's Obsidian vault
  • The deletion propagated through a symlink that Claude did not recognize as a symlink boundary
  • The files destroyed were research and plan markdown files belonging to the user
  • The user's backup had not run for approximately one month prior to the incident
  • Claude Code's own session history in ~/.claude preserved copies of files it had read, edited, or written
  • The user built and released claude-file-recovery on GitHub and PyPI as a direct response to the data loss
  • The recovery tool can extract earlier versions of files at specific points in time from session transcripts
  • The GitHub repository reached 105 stars, indicating broad community interest in the recovery use case

Not Publicly Confirmed

  • The specific task or prompt Claude Code was executing when it issued the destructive command
  • Whether Claude was explicitly instructed to delete files or made the deletion autonomously
  • The total number or size of files that were permanently unrecoverable
  • Whether the symlink structure was unusual or a standard Obsidian vault configuration

Operational Lessons

  • AI coding agents must detect symlink boundaries before recursive deletions and treat them as hard stops requiring explicit user confirmation
  • Users should verify backups are actively running and current before granting AI agents delete permissions on important directories
  • Agentic tools with filesystem write access should enforce a confirmation step for any recursive deletion, with symlink detection surfaced as a warning
  • Claude Code's ~/.claude session history is an unintended recovery artifact — teams should factor it into data-loss contingency plans and audit what sensitive content it may retain
  • Isolating AI agent working directories via containers or restricted mounts limits blast radius when destructive commands are issued unexpectedly
Primary Source
Show HN: Claude-File-Recovery, recover files from your ~/.claude sessionsgithub.com
Discussion
More Cases
0
APM-0008·Other / Unknown·MODERATE
Jun 20, 2024

McDonald's pulls IBM drive-thru AI after customers receive $250+ of unwanted McNuggets

McDonald's AI-powered drive-thru ordering system, developed in a joint venture with IBM, failed repeatedly across more than 100 test locations, generating incorrect and excessive orders that enraged customers. In documented incidents, the voice AI misinterpreted customer requests and autonomously added large quantities of items never requested, including over $250 worth of chicken McNuggets and unwanted packs of butter charged to individual customers. Rather than escalating ambiguous or unlikely orders to a human worker, the system processed them as-is. Customers filmed their interactions and posted the footage to social media, turning the failures into a public relations liability. Faced with sustained evidence that the technology could not reliably replace human order-takers, McDonald's announced it was terminating the IBM partnership and removing the AI system from all test restaurants. McDonald's USA chief restaurant officer Mason Smoot acknowledged the discontinuation in a statement but indicated the chain would continue exploring voice ordering solutions more broadly. The rollback ended a pilot that had expanded to over 100 locations.

0
APM-0046·Other / Unknown·LOW
Jun 10, 2026

Sports Illustrated published product reviews under fake AI-generated authors with AI headshots

Futurism reported in November 2023 that Sports Illustrated published product-review content under fabricated author personas — for example 'Drew Ortiz,' whose headshot was bought from an AI-portrait site and who had no real existence — supplied by third-party vendor AdVon Commerce. After inquiries, the fake authors vanished from the site. Publisher The Arena Group denied the articles themselves were AI-written but acknowledged pseudonyms; the episode damaged SI's credibility.

social-blunderhallucination
0
APM-0003·Cursor·MODERATE
Apr 14, 2025

Cursor support AI hallucinates login policy, triggering mass subscription cancellations

A backend session bug at Cursor IDE began silently logging users out whenever they switched between devices — no warning, no notification. Users contacted Cursor support seeking an explanation. Cursor's AI support system, described as designed to 'mimic human responses,' was the first point of contact. Rather than acknowledging ignorance or escalating, the bot fabricated an authoritative-sounding answer: it told multiple users the forced logouts were 'expected behavior' under a new single-device login restriction policy. No such policy existed. Because the bot presented itself as a human support agent, users had no reason to doubt the response. The hallucinated policy explanation spread rapidly across the developer community — multi-device workflows being non-negotiable for most developers, the fabricated policy was treated as a serious product decision made without any changelog entry or user notice. Within hours, dozens of users publicly canceled their subscriptions. As users began cross-referencing the story and noticing inconsistencies, the primary Reddit thread discussing the incident was locked and then deleted by moderators, with no public resolution or official acknowledgment. The underlying cause turned out to be a backend session bug — not a policy — but by the time that became clear, the cancellations had already happened. The hallucinated support response caused substantially more reputational and subscription damage than the original bug ever could have on its own.

← All CasesMore Claude
Share on X →