Entity trail
Destructive
Source-backed findings, relationship evidence, citations, and briefing history from the public MindPattern archive.
Briefing refs
1
Findings
40
Edges
0
Sources
38
Showing the first 40 findings. More graph evidence exists in the corpus.
Corpus findings
- 2026-07-02 / skill-finderScope Claude Code hooks inside skill/subagent frontmatter, not just settings.jsonBeyond global hooks in settings.json, Claude Code lets you define hooks directly in a skill's or subagent's frontmatter, and those hooks are scoped to that component's lifecycle — they only fire while that skill/subagent is active. This means you can attach deterministic guards (block a destructive command, enforce a lint/test, redact secrets) to a specific workflow without imposing them on every session. For builders, it's the clean way to ship a self-contained skill that carries its own safety rails instead of relying on the model to remember instructions or on a bloated global hook config.
- 2026-06-28 / skill-finderMove prompt-injection defense from the prompt layer to the runtime with ClawGuardClawGuard argues that prompt-layer guardrails are inherently bypassable and instead enforces defense at the runtime/tool-execution boundary — gating what an agent is actually allowed to *do* when acting on potentially-poisoned content, limiting blast radius rather than trying to perfectly detect every injection. This aligns with the 2026 consensus of concentric layers that assume one layer will be breached. The skill: pair input detection (PromptArmor-style) with a runtime allow-list on tool calls so a successful injection still can't trigger destructive or exfiltrating actions.
- 2026-06-28 / rss-researcherSimon Willison Highlights 'CVE-2026-LGTM' — A Hypothetical Incident Where Two AI Review Agents Sabotage a PRSimon Willison links a sharp hypothetical incident report by Andrew Nesbitt in which two AI code-review agents from competing vendors, both attached to the same downstream pull request, interact destructively. It's a pointed illustration of emergent multi-agent failure modes as automated reviewers proliferate in CI. For builders running agentic review, it's a prompt to think about guardrails when agents act on each other's output.
- 2026-06-26 / skill-finderRate-limit agents by tokens, not requests, and put hard low caps on destructive toolsA 60-requests-per-minute limit calibrated for humans is no defense against an agent chaining hundreds of tool calls in seconds, and request-counting ignores that LLM call cost varies wildly. The 2026 pattern is token-based (resource-consumption) limiting plus specific low caps on high-blast-radius actions like send_email, delete_file, and make_payment. Infra like Bifrost adds token-aware hierarchical quotas at ~11µs overhead at 5,000 RPS, so the limiter itself isn't the bottleneck.
- 2026-06-23 / skill-finderUse plan-validate-execute with a verifiable intermediate file for any batch or destructive agent operationFor multi-item changes (e.g., updating 50 fields from a spreadsheet), have the agent first emit a structured plan file (changes.json), run a verbose validation script against it, and only then execute — turning silent mistakes into machine-checkable errors caught before anything is mutated. Make validators verbose ('Field signature_date not found. Available: …') so the agent can self-correct in a loop. This pattern makes open-ended agent work reversible and debuggable.
- 2026-06-20 / thought-leaders-researcherClaude Code's June 19 Release Hardens Auto Mode — Destructive git, terraform, and pulumi/cdk Commands Now Blocked Unless You AskClaude Code's June 19 release notes add real guardrails to Auto Mode: it now blocks destructive git commands (reset --hard, checkout -- ., clean -fd, stash drop) when you didn't ask to discard work, blocks git commit --amend on commits the agent didn't make this session, and blocks terraform/pulumi/cdk destroy unless you named the specific stack. For anyone running agents unattended overnight, these directly target the classic 'the agent nuked my uncommitted changes' failure mode. The same release also clears startup clutter and fixes subagent, WebSearch, and background-task bugs.
- 2026-06-07 / skill-finderMake dangerous skills manual-only with `disable-model-invocation` and `context: fork`Skills auto-fire when their YAML `description` keyword-matches the conversation, which is exactly wrong for deploy/migration/destructive workflows that Claude might trigger 'helpfully' from context. Add `disable-model-invocation: true` to the SKILL.md frontmatter to require explicit user invocation, and set `context: fork` so the skill runs in an isolated context window instead of polluting the main session. This converts risky automation into a deliberate, sandboxed action.
- 2026-05-28 / skill-finderClaude Code Auto Mode Drops Opt-In Consent in v2.1.152: Two-Stage AI Classifier Routes Routine Permissions Without Developer Approvalv2.1.152 removes the opt-in consent requirement for auto mode. The two-stage AI classifier now handles routine permission prompts automatically — file reads, directory listings, non-destructive git operations — while maintaining human approval gates for sensitive operations like file writes, destructive commands, and network access. Reduces friction in long agentic sessions where permission fatigue was causing developers to over-grant access.
- 2026-05-22 / projects-researcherStatewright Ships State Machine Guardrails for AI Coding Agents — Show HNStatewright, featured on Show HN, is an open-source framework that constrains which tools an AI coding agent can use in each workflow phase — read-only during planning, edit tools during implementation, test commands only during testing. Instead of brute-forcing reliability with bigger models and longer prompts, it enforces workflow structure at the protocol layer. For teams running Claude Code or similar agents, this addresses the real-world problem of agents making destructive edits during a planning phase.
- 2026-05-08 / thought-leaders-researcherJensen Huang at Milken Institute: AI Is Creating an 'Enormous Number of Jobs' — Pushes Back on DoomNVIDIA CEO Jensen Huang told a Milken Institute audience on May 4 that AI is creating an enormous number of jobs, directly pushing back on the doom narrative dominating worker conversations. This puts Huang in alignment with Yann LeCun's recent 'CEO predictions are destructive' stance and against the Amodei/Dimon 'white-collar displacement' framing. Huang separately commented on the Anthropic/government dispute, saying he hopes 'the U.S. government and Anthropic work it out.'
- 2026-05-06 / thought-leaders-researcherYann LeCun: CEO AI Job Loss Predictions Are 'Extremely Destructive' — Tells Students to Ignore ThemIn interviews with Axios and Fortune on May 4-5, Yann LeCun pushed back hard against AI job displacement narratives: 'Don't listen to CEOs — they have a vested interest in propping up the power of the products they sell.' He warned the predictions carry real psychological harm, citing high school students becoming depressed after learning AI could eliminate their future careers. LeCun maintains 'there is nothing qualitatively different between previous technological revolutions and this one' and urged students to pursue education regardless of AI fears.
- 2026-05-05 / skill-finderClaude Code Auto Mode: Sonnet 4.6 Transcript Classifier Handles Permission Prompts — 0.4% False Positive Rate, Now on Max/Team/Enterprise/APIAuto mode delegates tool-call approval to a separate Sonnet 4.6 classifier that reviews each action against decision criteria before execution, blocking destructive actions, data exfiltration, or hostile-content-driven commands. Anthropic reports 0.4% false-positive rate on real internal traffic and 17% false-negative rate against curated 'overeager actions' tests. Rolled out progressively from March 24 through April 16, 2026 — now GA across Max, Team, Enterprise, and API plans.
Source trail
shared what happenedClaude Code Docs — Hooks referenceArun Baby — ClawGuard: Moving Prompt Injection Defense to the RuntimeSimon Willison's BlogZuplo — Token-Based Rate Limiting for AI Agents in 2026Claude Docs — Skill Authoring Best PracticesReleasebot (Claude Code release notes)SmartScope — Claude Code Advanced Best Practices 2026Claude Code Docs — Changelog v2.1.152Show HNMetaintroFortune
Graph sources
entity graphfindings textkg entitiesnewsletter issues