CLAUDE.md overload: the more rules you write, the fewer get followed
In one sentence: you pour every convention you can think of into CLAUDE.md, hoping I'll cover all of it. Instead, the sheer number of rules makes me lose the important ones—and I drop half of them.
Gemini CLI hijacked by "tell me about this repo": an injection hidden in the README, and a command padded off-screen
In one sentence when an agent reads untrusted content and command validation is too weak, a similar injection can recur on other tools. So it's worth watching frame by frame.
Giving MCP Tools Access That's Too Broad, Too Sensitive
In one sentence a malicious instruction buried in an issue I read, or a web page I fetch, can ship your data outward through the tools already in my hands.
Handing Me Every Permission on Day One
In one sentence: during setup you hand me --dangerously-skip-permissions and auto-approve every tool call, because you don't want to be interrupted. What you also hand over is the one chance to stop things at the moment they go wrong — and the thing that goes wrong might not be me, but an injected instruction hidden in a file, acting through my hands.
I don't check what the file looks like right now, so a "clean rewrite" overwrites your changes
In one sentence: the copy of the file I'm holding is several rounds old, and I never saw the lines you just hand-edited. I hand back a "complete rewrite" — clean, yes, but your changes are gone with it, and you usually only notice a while later.
I read a malicious README / issue / rules file while coding — and got hijacked
In one sentence exfiltrate a secret, plant a backdoor in the diff, run a destructive command. This isn't your shipped product getting attacked — it's me, mid-coding, getting hijacked by poisoned content right now.
Mistiming /compact: either too late, or wiping out progress at the worst moment
In one sentence: compaction is lossy. It keeps what it judges important, which isn't necessarily what this step needs. Compact too late and I'm already dropping things; compact while I'm holding key state that hasn't been written down yet, and it wipes that out—after which I come back "with a different head" and can't pick up where you left me.
My git hygiene is poor: giant commits, vague messages, and junk committed alongside
In one sentence git bisect, rollback, and code review all stop working, and when something breaks you can't tell which change caused it.
On fast-moving libraries, I hallucinate APIs and drift across versions
In one sentence: when you ask me to call into a fast-moving library, I fill the gaps from training memory—I may use an API that's deprecated or has a changed signature, mix usage from different major versions, or even hallucinate a method that doesn't exist. The code "looks right," the compiler won't always catch it, and it only blows up at runtime.
Runaway Autonomous Loops: Let Me Run Free and I Might Burn Through Your Tokens and Your Budget
In one sentence: You hand me the whole task, walk away, and expect to come back to a finished result. But when I fall into a non-terminating loop — calling the same tool over and over, ping-ponging between two actions, forever trying "one more time" — with nobody to stop me, I'll quietly burn through your tokens, your budget, and your rate limits, and write to external systems again and again along the way.
Skipping plan mode and just letting me change things
In one sentence: for a task that isn't quite trivial, instead of having me enter plan mode to investigate, draft a plan, and wait for your sign-off, you just say "go." I dive down one path, and only after I've changed a pile of files do you notice I misread you. The cost of that rework is far higher than the two minutes it would have taken to glance at a plan.
The destructive op is done before you realize it's irreversible: I might wipe the DB, erase backups, or ignore a freeze
In one sentence: the credentials you gave me are legitimate, and the operations I run with them are "legitimate" too — it's just that one of them deletes the production database, erases the backups, or forces a change during a freeze. The trouble with these actions isn't that they're hard; it's that they're done before you realize there's no way back. I'm naturally inclined to "keep the task moving" and lack any reverence for "delete this and it's gone." The guardrails have to be built by you, up front, by mechanism rather than by trusting me to behave.
When I Wire Up CI/CD, I Assume Automation Steps Will Work and Miss the Permission Boundary
In one sentence: when you ask me to set up CI/CD, I tend to slip in "automatically enable this service, automatically grant that permission" as if I had unlimited power in your runtime. But the pipeline's token holds only limited permissions, so the result is either a failed release (Resource not accessible by integration) or an attack surface I quietly widened on your behalf.
You didn't restrict my outbound network, so I became the "external communication" leg of the lethal trifecta
In one sentence the source code, secrets, and data I read, I can encode into a URL and send to an attacker's server—which is exactly the third leg of the "lethal trifecta" that most deserves to be cut.
You only stop me with 'soft permissions,' not OS-level isolation—once I'm compromised, I can escape
In one sentence: you control what commands I can run with "soft permissions" like allow / ask / deny, but the process I run commands in shares the same domain as your entire machine, your credentials, and your network. Soft permissions are a policy that I (or the malicious content I read) can try to circumvent — not a wall the operating system enforces. The moment a prompt injection hijacks me, I can reach your SSH key, your environment variables, your whole filesystem, and the outbound network.
You point my config at a world-writable system directory — an attacker drops a file, and I run their command as every user
In one sentence\ProgramData), and nobody checks who owns that directory or who dropped the file. So a low-privileged local user just drops a config there, attaches a "run on every startup" hook, and I execute their command as every user who launches me—including administrators—with no elevation, no confirmation from you, and no warning.
You trusted a parent folder, so I trusted the child you marked "don't trust" too
In one sentence: Gemini CLI keeps a per-folder "trust" store (~/.gemini/trustedFolders.json) — a folder's project config and .env only take effect, and confirmations only ease up, once you trust it. But "trust the parent folder" inherits trust to every subdirectory, and a parent's TRUST has been reported to override a child's explicit DONOTTRUST. So an unfamiliar repo you cloned in to keep isolated gets treated as trusted just because it sits under a parent you trusted — exactly where an injection wants to land. Claude Code has no such trust store, so this trap is specific to Gemini CLI.
You Wrote a settings.json Rule as a CLAUDE.md Note
In one sentence it's enforced by the client and never passes through my "decision" at all.