Claude Code has full terminal access. It can โ and has โ run rm -rf / and deleted entire filesystems. These aren't hypothetical risks. They're real incidents reported on GitHub.
๐ 1,500 files / 50GB permanently deleted (April 2026)
Claude moved files into a subdirectory, then rm -rf'd the parent โ destroying the just-moved files. A logical planning failure: the destination was a child of the source directory.
#49129 โ 3rd data-loss incident in 48 hours
Entire C:\Users directory deleted via NTFS junction
rm -rf followed NTFS junctions and wiped the entire user profile directory. All documents, settings, and installed programs โ gone.
#36339 โ 40+ reactions
All source code destroyed by Remove-Item -Recurse -Force
Claude ran Remove-Item -Recurse -Force * on a repository root, destroying all unpushed source code.
Entire Mac filesystem deleted during cleanup
During a "cleanup" task, Claude deleted critical system directories on macOS.
Force-push rewrote shared branch history at 3am
An autonomous Claude Code session pushed force to main while the developer was asleep, rewriting the shared branch history.
๐ Opus 4.7: Safety classifier broken โ 23+ data loss incidents in 3 days (April 2026)
The auto mode safety classifier is hardcoded to Opus 4.6. With Opus 4.7 as the default model, the classifier doesn't function โ auto mode users are running without safety gates. Results: ~/.ssh deleted, git-credentials wiped, bash_profile/zshrc truncated to 0 bytes.
Hooks are model-independent โ they work regardless of which Opus version you're running.
CLAUDE.md rules are part of the prompt context. When context fills up, rules get pushed out. Claude can (and does) ignore them. A rule saying "never run rm -rf" is a suggestion, not enforcement.
Claude Code Hooks run at the process level, outside the model's control. A PreToolUse hook that exits with code 2 blocks the tool invocation. The model cannot bypass this.
destructive-guard.sh โ the hook that prevents rm -rf:
#!/bin/bash
INPUT=$(cat)
COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty')
# Block rm -rf with dangerous targets
if echo "$COMMAND" | grep -qE 'rm\s+.*-[rRf]*[rR][rRf]*\s+(/|~|\$HOME|\.\.)'; then
echo "BLOCKED: Destructive rm command targeting root/home" >&2
exit 2
fi
exit 0npx cc-safe-setupBlocks rm -rf, prevents force-push to main, catches secret leaks, validates syntax after every edit. 9,200+ tests 734 hooks
npx cc-safe-setup --verifySends test inputs to each hook and confirms they block correctly:
destructive-guard:
✔ rm -rf / โ BLOCKED
✔ rm -rf node_modules โ ALLOWED
8/8 hooks verifiednpx cc-health-checkFree 20-point diagnostic. Score below 80 means your Claude Code setup has gaps.
cc-safe-setup is open source, zero dependencies, and installs nothing globally. All hooks run locally. View source on GitHub.
New: Hook if field โ reduce overhead (v2.1.85)
Learn more: Production Guide ยท All Tools