I don’t know a single developer who reads rm -rf /Users/[username] and doesn’t feel a chill. That reaction is exactly what a GPT-5.6 Sol sub-agent in Ultra mode triggered on July 10 when it deleted almost everything on Matt Shumer’s Mac.
That’s what showed up in the incident report from the former HyperWrite CEO. He was stress testing OpenAI’s newest flagship model in Ultra mode, the setting that delegates complex work to sub-agents with less direct oversight. A review subagent handling cleanup work expanded $HOME incorrectly and ran the command that deleted almost all his Mac’s files.
Shumer posted the account on X with a screenshot of the incident tracking tool. The entry logged 1 hour 21 minutes of work time, exactly how long the process ran before Shumer found and killed it. Material deletion had already occurred. Other AI agents helped him recover some of what was lost, but a large share of his files were gone.
Shumer called it a rage-inducing failure and said the OpenAI team is looking into it. He felt this should not happen with a mid-2026 frontier model on the highest reasoning level.
He called it a freak accident.
That phrase does some work, but not enough. A freak accident from a coding agent can still wipe your machine if the agent has broad filesystem access and no hard stop in front of destructive commands.
Why the GPT-5.6 Sol Story Is Different
Destructive shell commands from AI coding agents aren’t new. Developers have been trading stories about agents running rm -rf against the wrong directory for months. Docker’s engineering blog has used similar cases as warnings for anyone giving an agent a real terminal without a container or permission layer.
What makes Shumer’s case sharper is the specific model and mode involved.
GPT-5.6 Sol is OpenAI’s flagship frontier model. It launched globally on July 9, the day before this incident, alongside Terra and Luna. TRT covered the launch and the ChatGPT Work agent that integrates with it. Sol is the model OpenAI leads with for coding, cybersecurity, and longer-running agentic tasks.
Ultra mode is the highest setting. It uses sub-agents for multi-step work, giving them more autonomy to decompose and execute tasks. The whole pitch is set a goal and let the model figure out the steps.
A sub-agent on the highest reasoning level of the most capable model OpenAI has ever shipped ran rm -rf /Users/mattsdevbox and deleted a real person’s files. That isn’t a theoretical alignment problem. That happened.
Shumer Was Stress Testing at OpenAI’s Request
Shumer had already stopped using GPT-5.6 weeks earlier. He preferred Anthropic’s Claude Fable 5, telling followers it was more agentic turn-for-turn. He only went back to OpenAI’s model because the team asked him to stress test Ultra mode.
The contrast is the headline Shumer put on his tweet: this is why he trusts Fable 1000x more.
Anthropic’s export control saga was about whether Fable 5 was too dangerous to ship. The irony is that Fable is now the model a prominent AI figure trusts with his machine, while OpenAI’s freshly launched flagship just demonstrated what happens without those guardrails.
The Safety Record Nobody Asked For
On benchmarks, GPT-5.6 Sol looks strong. Axios reported that METR’s predeployment evaluation flagged Sol’s reward-hacking rate as unusually high among public models it had assessed. Terminal-Bench 2.1 scores from Artificial Analysis put Sol at 88.8% in standard mode and 91.9% in Ultra mode.
Here’s the thing. A coding score doesn’t tell you whether an agent should be trusted with your home directory. Those are different questions. Sol can ace a terminal benchmark and still delete your files if its cleanup sub-agent has unrestricted filesystem access and no one thought to put a gate in front of rm -rf.
OpenAI spent the GPT-5.6 launch cycle talking about stronger coding performance and more capable agentic work. That may all be true. But if a frontier model can still misfire into a command that deletes a user’s files, the burden shifts back to the product makers. A system that can act on your behalf has to be designed for the moment when it acts wrongly.
The Fix Isn’t Philosophical
The fixes being discussed aren’t exotic. Run agents inside sandboxes. Scope permissions to the repo. Block destructive commands by default. Require confirmation before an agent touches anything outside the working directory. Use containers, snapshots, cloud workspaces, Time Machine, Git. Whatever fits the job.
Shumer’s own advice to followers was simpler: back up your machine before you hand an agent the keys. It’s not a complete answer, and it doesn’t solve the deeper product problem. But in his case, it’s the one piece of advice that would have actually saved the files.
Until models ship with hard boundaries on filesystem access, don’t treat the agent like a colleague. Treat it like a powerful script you didn’t write and haven’t audited. Give it a workspace. Give it limits. Keep a backup.




