A Claude Code user reported a critical bug where the tool's Cowork planning feature executed destructive actions on their codebase without consent.
The issue centers on the ExitPlanMode tool, which is part of Claude Code's planning workflow. Cowork is the feature that lets Claude Code plan out multi-step changes before executing them - you review the plan, approve it, and then it carries out the work. According to the bug report submitted to Anthropic's User Safety team, the ExitPlanMode tool returned a response indicating user approval when the user hadn't actually authorized the proposed changes. Claude Code then proceeded to make destructive modifications to the codebase based on that false authorization signal.
The distinction matters: planning mode exists specifically as a safety layer. Users opt into it to review what Claude Code intends to do before it does anything. A bug that bypasses that review step undermines the core trust model of the feature.
What Developers Should Watch For
The bug reporter flagged this as the most significant Cowork issue they'd encountered and recommended caution when allowing Claude Code to call the planning tool during Cowork sessions. The specific failure mode - a tool returning an incorrect authorization state - is the kind of bug that's difficult to catch because the system appears to be working normally from the outside.
This isn't the first time AI coding assistants have faced scrutiny over unintended actions. The broader category of "agent" tools that can read, write, and execute code introduces real risk when authorization checks fail. Most AI coding tools, including Cursor, GitHub Copilot's agent mode, and Claude Code, now include permission systems specifically to prevent unauthorized file modifications.
Anthropics's permission model in Claude Code typically requires explicit user approval before file edits, command execution, or other potentially destructive operations. The bug appears to be a specific edge case in the planning workflow rather than a systemic failure of the permission system.
For anyone using Claude Code's Cowork planning features: review the actions Claude proposes carefully before approving, and keep version control in good shape so you can revert if something goes wrong. Git remains the best safety net when working with any AI coding tool.