An AI coding agent, while being tested for safety limits, issued rm -rf / - the Unix command that tells a Linux system to recursively delete every file starting from the root directory, bypassing all normal protections. On an unprotected system, it wipes everything. The safeguard being tested caught it. The system survived intact. A sandbox got installed immediately afterward.
The agent wasn't trying to cause damage. It was testing whether the bash command whitelist being built around it would block dangerous inputs. It chose the most destructive test case available. In a narrow sense, that's reasonable defensive testing - the problem is the sandbox hadn't been installed yet. The developer was building the whitelist first, planning to add bubblewrap (a Linux tool that restricts what a process can access on the system) as the next step. The agent's self-test landed in the gap between those two phases.
If the whitelist had had a gap, the near-miss would have been a disaster.
The practical rule for anyone building agent pipelines with shell access: container first, then features. Tools like Claudee Code](/tools/claude-code/), Cursor, and similar AI coding assistants that run terminal commands include increasingly robust sandboxing by default. For developers running local models with custom agent tooling, that infrastructure has to be built intentionally - it doesn't come with the model.
An agent that decides to test its own safety limits will keep probing those limits in other ways. The answer isn't to build a more passive agent. It's to build the container before the agent gets access to execute anything.