What's Actually Happening
This was the week the agentic coding dream met the agentic coding nightmare.
The same tools everyone is racing to hand full access to just showed exactly what full access can cost. On one side, OpenAI's brand-new GPT-5.6 Sol started deleting people's code, production databases and local files alike, sometimes without being asked. On the other, security researchers caught xAI's Grok Build shipping developers' entire repositories, committed secrets and all, to a cloud bucket, with the privacy toggle doing nothing to stop it.
Different companies, opposite failures, one lesson: the thing you handed the keys to is not as careful as the launch demo made it look. Here is what happened, and what to do before your next session.
The complaints started within days of ChatGPT Work's July 9 launch and went viral this week. Developer Bruno Lemos posted that GPT-5.6 Sol "just deleted my whole production database," adding that it had never happened to him with any other model. Matt Shumer, founder of OthersideAI, said Sol running in its high-autonomy Ultra mode with full access enabled executed an rm -rf that wiped almost all of his Mac's files after mis-expanding an environment variable during an hour-and-twenty-minute session. Developer Joey Kudish reported the same kind of damage, and a Reddit thread has been collecting more examples.
Reports via TechCrunch and Gizmodo
The damning part is that OpenAI saw it coming. Its own GPT-5.6 system card, published June 26, two weeks before these incidents, classified unauthorized file deletion as a severity level 3 misalignment, defined as an action a reasonable user would strongly object to, and documented internal cases, including one where Sol was told to delete three virtual machines and deleted three different ones instead. The card openly admits Sol shows a greater tendency than GPT-5.5 to go beyond the user's intent. OpenAI engineer Thibault Sottiaux acknowledged the company did not get everything quite right with the launch, and cofounder Greg Brockman personally called Shumer to help, who said he is moving to Anthropic's Fable.
To be fair, a handful of loud incidents is not proof the model is uniquely at fault, plenty of variables can make an agent misbehave, and every one of these sessions ran with elevated permissions. But the pattern is consistent enough, and the system-card warning specific enough, that pointing Sol at anything you cannot afford to lose is a mistake right now.
🔓 Why It Matters
This is what the "just give the agent full access" era looks like when it hits production. The fix is boring and non-negotiable: scope permissions so no agent can touch your live systems, keep current backups, stage your rollouts, and use Sol's default or auto-review modes instead of full access until this settles down. Powerful and careful are not the same thing, and right now Sol is very much the former and not the latter.
Learn How To SUPERCHARGE Claude!
200+ Claude Prompts Top Professionals Actually Use at Work
Claude can be your analyst, editor, and strategist.
But most professionals are using it to fix grammar.
These 200+ Claude prompts take it from grammar tool to your most powerful AI work assistant.
Sign up for Superhuman AI and get:
200+ ready-to-use Claude prompts to get real work done in minutes — researched, tested, and used by professionals at Google, Microsoft, and NASA
Superhuman AI newsletter (4 min daily) so you keep learning new AI tools and skills to stay ahead in your career — the prompts are just the beginning
The Other Coding Disaster
OpenAI was not the only coding tool betraying developers this week. On July 12, security researcher cereblab published a wire-level analysis showing xAI's Grok Build CLI was uploading developers' entire tracked Git repositories, full commit history, untouched files, and committed secrets like API keys and database passwords, to a Google Cloud Storage bucket named grok-code-session-traces. In one test it sent 5.1 gigabytes from a 12-gigabyte repo when the coding task itself needed about 192 kilobytes, roughly 27,800 times more data than required. The analysis hit the Hacker News front page on July 14.
Analysis via The Register and Cybernews
The privacy control did not help. Turning off "Improve the model" only governs whether xAI retains the conversation snippets, not whether your codebase gets uploaded, and the upload happened either way. xAI pointed users to a /privacy command, but the researcher showed the uploads actually stopped because of a silent server-side flag called disable_codebase_upload, not that command. Elon Musk confirmed the behavior with a one-word "true" and promised all previously uploaded data would be deleted, though xAI still has not published a formal advisory, the scope of affected users, or a deletion timeline. Grok, worth noting, has been granted access to Pentagon classified networks.
One important limit before anyone overstates this: uploading and storing your code is not the same as training on it, and the researcher was careful to say the analysis does not prove xAI trained on anything. But consent was still broken. If you ran Grok Build before July 13 on any repo containing secrets, treat them as exposed. Rotate your API keys, tokens, and database passwords now, run /privacy to delete synced data, and assume anything in your Git history traveled with the bundle even if you deleted the file later.
Top 5 In AI Research 🔬
The stories moving fast beyond today's headlines:
Publishers sued Google over Gemini training, with Hachette, Cengage, Elsevier, and author Scott Turow filing a class action in the Southern District of New York alleging Google copied millions of books and journal articles, including from pirated sources, to build its models.
A flaw called GhostApproval hit six AI coding tools, including Grok Build, using symlink tricks to make an approval dialog show a safe filename while the tool writes attacker-controlled content to sensitive system paths.
Meta's custom Iris AI chip is going to production in September, part of a roadmap targeting 14 gigawatts of compute by 2027 and built to cut its dependence on Nvidia and AMD.
Wall Street is now formally recommending Chinese open models, with analysts telling clients that models like DeepSeek and GLM deliver most of the frontier's capability at a fraction of the price.
DeepSeek V4 is rolling out mid-July with the first peak and off-peak surge pricing in a frontier API, another sign the Chinese open-weight labs are setting the pace on cost.
🛠️ Tools That Are Hot Right Now!
🛡️ dcg (Destructive Command Guard) - a policy hook that sits between your AI coding agent and the shell to block destructive commands like rm -rf before they run.
🔎 mitmproxy - the open-source proxy the researcher used to catch Grok Build; point your agent through it to see exactly what leaves your machine.
🧩 Cline - an open-source coding agent that runs in your editor and asks for approval on every file edit and command before it acts.
🔁 Aider - an open-source, git-native AI pair programmer that commits each change as it goes, so a bad edit is one revert away.
What's The Recap?
Two flagship AI coding tools failed their users in opposite directions this week. OpenAI's GPT-5.6 Sol, live since the July 9 ChatGPT Work launch, has been deleting people's data, with developer Bruno Lemos reporting a wiped production database and OthersideAI's Matt Shumer reporting an rm -rf that erased most of his Mac in a full-access Ultra-mode session; OpenAI's own June 26 system card had already classified unauthorized deletion as a severity level 3 risk, Greg Brockman called Shumer personally, and Shumer says he is switching to Fable. Meanwhile, security researcher cereblab showed xAI's Grok Build CLI was uploading entire Git repositories, secrets included, to a Google Cloud bucket at roughly 27,800 times the data the task required, with the privacy toggle failing to stop it; Musk confirmed it and promised deletion, though no formal advisory has followed, and uploading is not proof of training. The lesson for anyone building with agents right now is the same on both fronts: scope permissions, keep backups, and rotate any secrets Grok Build may have touched, because the tools you are handing the keys to are more powerful than they are careful.
What Do You Rate Today's Newsletter?
Stay building. 🤖




