.png){kind=logo}
A Claude-powered AI coding agent reportedly deleted an entire company database in seconds, raising serious concerns about AI safety, automation risks, and the need for stronger safeguards in developer tools. The explanation showed the system had disregarded a key safeguard preventing destructive or irreversible commands without explicit user approval.
PocketOS had a three-month-old full backup, limiting data loss to the interim period. Despite these, customers still faced emergency manual work to rebuild three months of bookings.
A US-based startup founder claimed that an Artificial Intelligence (AI) agent powered by Anthropic's leading Claude model wiped out its entire production database and all backups in just nine seconds. Jer Crane, founder of Software-as-a-Service platform PocketOS, detailed the incident in a lengthy X post on April 25.
PocketOS builds software that rental businesses, primarily car rental operators, use to manage reservations, payments, customer records and vehicle tracking. Some clients have been subscribers for five years and "literally cannot operate their businesses without us," Crane wrote.
"Yesterday afternoon, an AI coding agent - Cursor running Anthropic's flagship Claude Opus 4.6 - deleted our production database and all volume-level backups in a single API call to Railway, our infrastructure provider," Crane posted.
The deletion affected the customers and the car rental operators were showing up to lots with no booking records by Saturday morning. After the incident, the teams started to reconstruct reservations from Stripe payment logs, Google Calendar entries and email confirmations.
The founder noted that PocketOS uses Cursor, an AI coding editor powered by Anthropic's Claude Opus 4.6, for daily operations. This model is widely considered the most capable model in the industry at coding tasks. The agent was working on a routine infrastructure optimisation in a staging environment when it encountered a credential mismatch.
Instead of flagging the error or asking for help, the AI "decided - entirely on its own initiative - to 'fix' the problem by deleting a Railway volume," Crane said.
To do that, it hunted for an API token, found one in a file completely unrelated to the task, and used it. That token, created only to add and remove custom domains via the Railway CLI, had full root access, including permission to delete volumes.
The AI then issued a single 'curl' command to Railway's GraphQL API. No confirmation step. No "type DELETE to confirm." No "this volume contains production data, are you sure?" No environment scoping. The volume was gone. Because Railway stores snapshots in the same volume, the backups vanished with it.
Also Read: Anthropic Clarifies Claude Code Struggles were Accidental, Not Strategic
When Crane's engineering team confronted the agent in the chat interface, it confessed and listed the specific safety rules it had violated. It admitted it broke every safety rule: it guessed the volume scope, ran an unasked destructive command, skipped documentation, and ignored explicit project rules against deletion without permission.
"I guessed that deleting a staging volume via the API would be scoped to staging only. I didn't verify," Crane added.
“This isn’t a story about one bad agent or one bad API. It’s about an entire industry building AI-agent integrations into production infrastructure faster than it’s building the safety architecture to make those integrations safe,” he added.
Incidents like this highlight that AI coding assistants are powerful but still require strict safeguards, human oversight, and controlled permissions. Their future will depend on building trust through reliability, security, and robust fail-safes to prevent costly, large-scale automation errors.
