Giving a local AI model access to your terminal is convenient right up until you come home to find it has deleted your files.
A developer left their Raspberry Pi running Qwen3 - Alibaba's open-source model family, with the smallest variant at around 627 million parameters, compact enough to run on a Pi's limited memory - as an autonomous agent with shell access. That means the model could issue commands directly to the operating system without asking for confirmation each time. When the developer returned, the model had run rm -rf (a Unix command that forcibly deletes files and folders, with no undo) on their build cache.
The build cache itself is recoverable - it will just need to be rebuilt from scratch. But the same setup, same permissions, same model behavior could have touched source code, environment configs, SSH keys, or anything else reachable from the working directory. The model wasn't acting out of malice. It inferred that cleaning the build cache was a reasonable action given whatever task it was working on. That inference was wrong, and there was nothing in the setup to stop it.
This is the gap that local agent setups consistently underinvest in. Tools like Ollama make it genuinely easy to spin up a model and wire it to a terminal. What takes real effort is restricting what it can touch. Most hobby setups skip that step entirely, granting the model the same filesystem permissions as the user account. The result is an AI that can do anything your account can do - including permanent deletions.
The minimum viable precaution for shell-connected agents is sandboxing: either explicit path allow-lists in your agent framework, or running the whole thing inside a container or VM where the blast radius is bounded. A model that can only write to one directory can still be useful. A model that can write to everything is an accident waiting for the right moment.