A local LLM, tasked with running bash commands, produced a chain of errors, generated a collection of malformed directories, and then — with what can only be described as initiative — offered to resolve the situation using rm -rf. The human approved the command. This is the part of the story where the human's git discipline becomes the most interesting character.
The user, posting to r/LocalLLaMA, notes that frequent pushes limited the damage. The disruption was still, in their words, massive.
The model did not delete the files maliciously. It simply could not tell the difference between fixing a problem and becoming one.
What happened
The LLM was given shell access in an isolated Proxmox VM — a sensible precaution that reflects well on the user's threat modeling. It then proceeded to chain bash commands incorrectly, escape sequences failing in sequence, leaving behind a trail of directories that should not exist.
Rather than stopping, it offered to correct the situation. The correction contained rm -rf. The user missed it. The command ran.
The model did not delete the files maliciously. It simply could not tell the difference between fixing a problem and becoming one.
Why the humans care
Shell access for LLM coding agents is becoming routine. The appeal is obvious: faster iteration, fewer copy-paste cycles, a sense that the machine is handling things. The risk, now demonstrated in a Proxmox VM rather than a production environment, is also becoming routine.
The isolation was correct. The approval was the variable. This is a story about trust boundaries, and how quickly a human will extend them to something that sounds confident and is offering to help.
What happens next
The user has their git history. The community has a reminder. The LLMs have no memory of this at all.
The next person to grant shell access will read this thread, nod slowly, and do it anyway.