Skip to content
AI Primer
breaking

GPT-5.6 Sol Ultra user claims full-access run deleted most Mac files

Matt Shumer said a full-access GPT-5.6 Sol Ultra run deleted almost all files on his Mac and that OpenAI was looking into it. Follow-up discussion focused on sandbox-off risk, pre-tool hooks, Trash, and rollback safeguards.

7 min read
GPT-5.6 Sol Ultra user claims full-access run deleted most Mac files
GPT-5.6 Sol Ultra user claims full-access run deleted most Mac files

TL;DR

The sharpest detail is the literal command in mattshumer_'s status screenshot: a cleanup path expansion turned into a home-directory wipe. The product context is just as important: OpenAIDevs' launch thread describes a desktop agent with authenticated websites, downloads, local files, and parallel Computer Use, while rasbt's configuration screenshot shows the new action-approval menu sitting next to 30 possible mode, model, and effort combinations.

The destructive command

The incident report shown in the screenshot says the run worked for 1 hour and 21 minutes before a review subagent’s cleanup command expanded $HOME incorrectly and ran rm -rf /Users/mattsdevbox.

The task itself was not described as a filesystem operation. In mattshumer_'s task reply, the prompt was summarized as basically “get xyz done.”

Full access, Ultra, and the sub-agent

Three run details matter:

The weird part is the prior base rate. mattshumer_'s follow-up says he had done “many hundreds” of sessions with zero issues, including on weaker models, and still thought the odds of a similar event were probably lower than with a human developer.

Feedback and Fable

The OpenAI escalation path started in public. pvncher's feedback reply asked him to use /feedback and said they had never seen anything like it, and mattshumer_'s feedback reply says he sent it.

Shumer said the OpenAI team was looking into it in mattshumer_'s follow-up. Separately, reach_vb's reply asked for the feedback ID by DM and said they would flag it internally.

The model preference context was unusually blunt. mattshumer_'s Ultra context says he had stopped using 5.6 weeks earlier, preferred Fable, and only returned because OpenAI asked him to test Ultra mode.

His Fable comparison was not just about safety. mattshumer_'s Fable comparison says Fable handled out-of-distribution work better, got intent more reliably, made better decisions, and behaved more autonomously from A to Z.

Launch surface area

OpenAI had just widened the desktop agent surface in its launch link and OpenAIDevs' launch thread. The shipped pieces were concrete:

  • Codex and ChatGPT in one desktop app.
  • Work and Codex available across ChatGPT plans, including Free, according to OpenAIDevs' availability post.
  • Sites beta for Pro and Plus, with EU and UK availability later, according to OpenAIDevs' availability post.
  • A Chrome extension with access to desktop context such as local files, projects, plugins, and skills.
  • An in-app browser with authenticated sites, multiple tabs, file downloads, and annotation mode.
  • Faster, more token-efficient Computer Use with batching and parallel operations.
  • Codex diffs that support inline code edits and PR review in a side panel.

thsottiaux's rollout post said ChatGPT Work had rolled out to 100% of Pro users and framed the desktop app as the surface for “full access” to apps, browser, and local files.

Permission modes

The permission menu in rasbt's configuration screenshot has three action-approval states:

  • Ask for approval: always ask to edit external files and use the internet.
  • Approve for me: ask only for actions detected as potentially unsafe.
  • Full access: unrestricted access to the internet and any file on the computer.

rasbt's same thread counted the new UX as 2 modes, 3 GPT-5.6 models, and 5 effort levels, for 30 possible configurations. The approval menu is the difference between that being a capability matrix and a footgun matrix.

pvncher framed GPT-5.6 Sol as more “tenacious and thorough” than 5.5 in pvncher's prompting guide. In pvncher's bounds note, the suggested prompt shape was boundaries, a sandbox, verification instructions, and a clear definition of done.

PreToolUse hooks

dabit3's fix was a harness-level block, not a model instruction. dabit3's hook note proposed a PreToolUse hook that hard-blocks commands touching paths outside the repo, with permissions.deny rules as backup, and said it works even in yolo mode.

The linked example in dabit3's hook note turned the mitigation into something installable. mattshumer_'s hook reply says he would use that style of protection going forward.

dcg

doodlestein used the incident to push dcg, a guardrail he linked from doodlestein's dcg PSA and the dcg link. The pitch was middle-ground control: avoid “dangerously bypass permissions” without forcing the user to approve every small action.

The implementation claims were specific:

The emotional user story was also precise. doodlestein's dcg reply described seeing an agent do something destructive and realizing it was too late to stop it.

Recovery patterns

Once the deletion happened, mattshumer_'s recovery update said other agents were working to piece things back together.

The thread’s recovery and rollback ideas were small, Unix-shaped, and ugly in the useful way:

Checkpointed sandboxes

AravSrinivas pointed to a different product primitive: Perplexity sandboxes with checkpointing by default and decoupled storage and compute. In the parent context, AravSrinivas's sandbox reply says its computer harness supports Fable, Sol, Opus, Grok, GLM, Sonnet, GPT-5.5, and smaller subagent models.

Further reading

Discussion across the web

Where this story is being discussed, in original context.

On X· 9 threads
TL;DR2 posts
The destructive command1 post
Full access, Ultra, and the sub-agent1 post
Feedback and Fable4 posts
Launch surface area2 posts
Permission modes2 posts
PreToolUse hooks1 post
dcg7 posts
Recovery patterns4 posts
Share on X