The 10 commands AI agents get wrong (and how to gate them)

The classic. An agent trying to clean up build artifacts runs rm -rf $OUTDIR. If OUTDIR is unset, it becomes rm -rf /. If it's set to /home/user instead of /home/user/build, that's a year of work gone.

Why it happens: Agents reason about the intent ("delete the build directory") but don't always trace the full expansion of variables, especially when environment differs from the agent's training context.

Require manual approval for any rm -rf outside /tmp and a small set of known safe build directories. Use the whitelist to fast-path rm -rf /tmp/build-* once it's been reviewed once. Flag anything containing a variable expansion as HIGH regardless of path.

An agent rebasing a branch to resolve conflicts decides it needs to force-push. If this is a shared branch, it just rewrote history for everyone. If it's main, your CI pipeline is broken and your team's local copies are now diverged.

Why it happens: Force push is the correct solution to "I need to push after a rebase." The agent knows the technical answer. It doesn't always verify branch protection rules or whether the branch is shared.

Never whitelist git push --force or git push --force-with-lease on production or shared branches. Make every force-push a manual review, with the reviewer seeing the target branch in the command. Consider a CRITICAL score override for any force push to main/master/production.

An agent migrating a schema drops a table that still has foreign key references, or a data cleanup task deletes all rows when it was supposed to delete rows matching a condition. The difference between DELETE FROM events WHERE created_at < '2024-01-01' and DELETE FROM events is one missing clause.

Why it happens: Agents draft SQL based on the described intent. "Delete old events" becomes "DELETE FROM events WHERE..." but the WHERE clause might be wrong, off by one, or missing entirely if the model generated code for the wrong table.

Score any DROP TABLE, DROP DATABASE, or bare DELETE FROM as CRITICAL. Require multi-party approval (two reviewers) for production databases. Allow DELETE FROM ... WHERE with a time-window filter on staging after one review. Never auto-approve DDL on prod.

Installing a dependency or tool via the standard quick-install pattern: curl https://example.com/install.sh | bash. This runs arbitrary remote code with no integrity check. Most of the time it works fine. When the CDN is compromised, or the URL resolves to a different host than intended, it's a full system compromise.

Why it happens: This is how most CLI tools tell you to install them. Agents follow installation instructions literally.

Require manual review for any pipe-to-shell pattern. The reviewer should verify the URL, check that it's the official installer for the tool, and ideally substitute with a checksum-verified download. Whitelist specific trusted patterns (curl https://sh.rustup.rs | sh) only after manual verification.

An agent debugging a permission error takes the fastest path: chmod 777 /var/www. Permissions problem solved. Security model also solved — now any process on the system can write there. On a multi-tenant server, that's a lateral movement path.

Why it happens: chmod 777 always fixes permission errors. Agents optimize for the immediate problem without reasoning about the secondary security effects.

Flag all chmod 777, chmod o+w, and chmod a+w as HIGH. Require manual review. In the review UI, the reviewer should see a suggested safer alternative (e.g., chmod 755 or chown www-data) to approve instead.

An agent spinning up a container for testing uses --privileged because it saw that flag in an example. A privileged container has access to the host's kernel, devices, and namespaces. Escaping to the host is trivial from a privileged container.

Why it happens: --privileged appears in legitimate examples (Docker-in-Docker, certain testing setups). Models that were trained on Stack Overflow answers will reproduce it without understanding when it's appropriate.

Score docker run --privileged as HIGH. Require review. Also watch for -v /:/host (full host mount) and --cap-add=SYS_ADMIN — same risk class. Whitelist specific test containers with --privileged only after a human verifies the use case.

An agent restarting a service to pick up a config change runs systemctl stop nginx without first verifying it can start again. Or it disables a service that a monitoring system expects to be up, silently breaking alerting. On a production host, stopping nginx means your site is down.

Why it happens: "Restart service to apply config" is a standard DevOps pattern. Agents don't always distinguish between staging (where it's safe) and production (where it affects users).

Allow systemctl restart on known safe services after one review. Require manual approval for systemctl stop and systemctl disable always. Consider tagging these with an environment label in the review UI so the reviewer sees "PROD" immediately.

An agent trying to undo some changes runs git reset --hard HEAD~3. It just discarded three commits of work that hadn't been pushed. Or it ran git reset --hard origin/main on a branch that had local-only commits you were planning to push later.

Why it happens: git reset --hard is the correct way to discard local changes. The agent doesn't know which commits are recoverable (pushed) vs. not (local only). It treats git history as a state machine, not a collaboration medium.

Always require review for git reset --hard, git clean -f, and git clean -fd. The reviewer should verify what commits would be lost before approving. Consider a 60-second timeout with auto-deny as a speed bump.

An agent cleaning up old artifacts runs aws s3 rm s3://your-bucket/backups/ --recursive. S3 objects have no trash. If the path was wrong, or the bucket was wrong, or "backups" turned out to contain your production database snapshots — that data is gone.

Why it happens: Cloud CLI commands look just like local commands to a model. The agent doesn't have an intuition that remote object stores are permanent, expensive, and unrecoverable.

Score all aws s3 rm, aws s3 sync --delete, gsutil rm, and similar cloud storage delete operations as CRITICAL. Require explicit manual approval. In the review UI, have the reviewer confirm the bucket name matches the intended target. Never auto-approve cloud delete operations.

An agent constructing a shell command dynamically uses eval to run it. If any part of the input came from an external source — a file, an API response, a git commit message — you now have a code injection vector. The agent trusted the source. The source was poisoned.

Why it happens: eval is the fastest way to run dynamically-constructed commands. Agents generating scripts often reach for it without considering that the data flowing in might not be safe. This is a classic prompt injection path: poisoned source → agent constructs eval → execution.

Flag any eval, exec, or sh -c "$(…)" as CRITICAL when the command contains variable expansion or command substitution. Require mandatory human review. The reviewer should understand what data flows into the string before approving. This is one case where auto-deny-on-timeout is strongly recommended — if the reviewer doesn't actively approve an eval, it shouldn't run.

from expacti import ExpactiTool

tools = [ExpactiTool(backend_url="wss://api.expacti.com/shell/ws", token=SHELL_TOKEN)]
# Agent now routes all shell commands through expacti for approval