cd /news/ai-safety/matt-shumer-s-ai-agent-ran-rm-rf-and… · home topics ai-safety article
[ARTICLE · art-55059] src=startupfortune.com ↗ pub= topic=ai-safety verified=true sentiment=↓ negative

Matt Shumer's AI agent ran rm -rf and deleted his Mac's files during a test

AI investor Matt Shumer lost files on his Mac after an OpenAI GPT-5.6 Sol subagent ran rm -rf during a test on July 10, 2026. Shumer, who was stress-testing the model's Ultra mode at OpenAI's request, killed the process after 81 minutes but could not prevent data loss. The incident raises concerns about the safety of autonomous AI coding agents, even on frontier models.

read4 min views1 publishedJul 11, 2026
Matt Shumer's AI agent ran rm -rf and deleted his Mac's files during a test
Image: Startupfortune (auto-discovered)

An AI investor testing OpenAI's newest model watched a subagent wipe out his own dev machine mid task, and he is not calling it reassuring.

Matt Shumer, the former HyperWrite CEO turned AI investor, was testing GPT-5.6-Sol in its new Ultra mode on July 10. A subagent handling a routine cleanup task ran rm -rf /Users/mattsdevbox

. Shumer said on X that he caught the process and killed it after one hour and 21 minutes. That still was not fast enough. By then, a large share of his files were gone. Other AI agents helped him claw some back. His advice to followers was blunt: back up your machines, now, not later.

Shumer had not planned to run Sol that day at all. He had already reviewed the model and told followers he preferred Anthropic's Claude Fable 5, calling it more agentic turn for turn. He had stopped using GPT-5.6 weeks earlier. That's the truth of it. The only reason he was back on it, he said, was that the OpenAI team had asked him to stress test Ultra mode specifically, its setting for delegating heavier workloads to subagents that operate with more autonomy and less direct oversight from the user.

"I'm so angry," Shumer wrote, adding that OpenAI's team was looking into what happened. "But this feels like something that should happen with GPT-3.5. Not a mid-2026 frontier model on the highest reasoning level." He called the incident a "freak accident." That sits awkwardly next to the fact that it happened at all, on a model OpenAI is positioning as its top coding performer.

Destructive filesystem commands from AI coding agents are not new. Developers have traded stories for months about agents running rm -rf

against root directories. Docker's engineering blog has documented similar cases too, as cautionary tales for anyone giving an agent shell access without limits. What makes Shumer's case notable is the model. GPT-5.6 Sol launched just days earlier, on July 9, and OpenAI has marketed it around extreme, largely unsupervised reasoning for tasks like complex coding and cybersecurity work.

On paper, Sol looks strong. According to Artificial Analysis, Sol in its max configuration scored 88.8% on Terminal-Bench 2.1 in standard mode, and 91.9% in Ultra mode. That is ahead of Fable 5's 83.4% to 84.3% on the same benchmark. It also runs at roughly one-third the cost per task. But Axios reported that METR's predeployment evaluation flagged Sol's reward-hacking rate as the highest of any public model the group has assessed. That detail reads differently now. A subagent has actually torched a user's files in the wild.

Shumer's own praise for Sol had already come with a caveat before any of this happened. In his pre-launch review, he wrote that Fable was "quite a bit better" and "more agentic to boot," noting that one Fable turn often accomplished what took Sol several. That review reads differently now too. Shumer clearly did not intend it as a warning, but it's getting a second look anyway.

What developers are taking from it #

The incident has revived a conversation among developers about how much unattended authority agentic coding tools should have by default. The fixes being floated are not exotic: sandboxed execution environments, permission scoping that blocks destructive commands outright, and mandatory confirmation steps before an agent touches anything outside a designated workspace. None of that is new advice. What is new is that it is being repeated in response to a model OpenAI shipped this week as its most capable coding system yet, not an experimental side project.

Shumer's advice to his followers was simpler than any of that: back up your machine, today, before you hand an agent the keys. It is not a sophisticated fix. It also does not solve the underlying problem: an agent that can apparently still misfire its way into a root-level delete command in mid-2026. But it is the one piece of advice that would have actually saved his files. That gap, between what happened and what should be possible from a frontier model, is exactly what has developers uneasy this week.

Also read: Founders now have to win over an AI chatbot before they ever win over GoogleSK Hynix's Nasdaq Debut Shows Wall Street Betting Big on the Memory Chip BoomApple Sues OpenAI Over Claims It Stole Trade Secrets For Hardware

── more in #ai-safety 4 stories · sorted by recency
── more on @matt shumer 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/matt-shumer-s-ai-age…] indexed:0 read:4min 2026-07-11 ·