i don’t get the worry. i run these models all day without any sandbox and even leave them running while i walk away. i haven’t had a rm -rf kind of situation ever or even a hint of model going towards it. even gemini 2.5 at it’s lowest doesn’t do that.
has anyone faced this?
I mistakenly started Claude in my root dev folder in dangerously skip mode the other day. Asked it to fix my playwright tests. All hell broke loose and I couldn't stop it. Lol. Eventually got it shut down and all was fine. Scared me though. There's a hook you can easily implement for RM -rf, see indydevdan on YouTube, he has a nice repo of it.
I would like to run everything in container and fire up two or three CC at once. It might be best actually. Right now I'm doing local dev with many services in one container and Claude sometimes doesn't use the container properly. I probably waste a lot of cycles with CC relearning my setup often as it struggles through it.
Just because unintended things aren't happening right now, doesn't mean they won't happen. We are in the honeymoon phase of this technology where mass exploitation isn't yet being attempted.
However, if you are familiar with Pliny the Liberator's work, essentially all modern models are easily jailbroken, such that the original prompt can be overridden. All it will take for your agent is to download a malicious payload, perhaps disguised as a relevant library or documentation for the task at hand, and it can be running whatever the attacker tells it.
An 'rm -rf /' would be a pretty mild outcome. The more likely one would be the attacker silently installs malware on your machine.