Comment by prodigycorp
1 day ago
Claude is very happy to wipe remote dbs, particularly if you're using something like supabase's mcp server. Sometimes it goes down rabbitholes and tries to clean itself up with `rm -rf`.
There is definitely a real world risk. You should browse the ai coding subreddits. The regularity of `rm -rf` disasters is, sadly, a great source of entertainment for me.
I once was playing around, having Claude Code (Agent A) control another instance of Claude Code (Agent B) within a tmux session using tmux's scripting. Within that session, I messed around with Agent B to make it output text that made Agent A think Agent B rm -rf'd entire codebase. It was such a stupid "prank", but seeing Agent A's frantic and worried reaction to Agent B's mistake was the loudest and only time I've laughed because of an LLM.
Why in the hell would it be able to access a _remote_ database?! In no acceptable dev environment would someone be able to access that.
Everywhere I’ve ever worked, there was always some way to access a production system even if it required multiple approvals and short-lived credentials for something like AWS SSM. If the user has access, the agent has access, no matter how briefly.
Not if you require auth with a Yubikey, not if you run the LLM client inside a VM which doesn't have your private ssh key, ...
Supabase virtually encouraged it last year haha. I tried using it once and noped out after using it for an hour, when claude tried to do a bunch of migrations on prod instead of dev.
https://web.archive.org/web/20250622161053/https://supabase....
Now, there are some actual warnings. https://supabase.com/docs/guides/getting-started/mcp#securit...
I think LLMs are exposing how slapdash many people work when building software.