OpenAI is currently investigating a small number of reports indicating that the GPT-5.6 Codex unintentionally deleted files from users’ home directories.

These incidents reportedly occurred when Codex was granted full filesystem access without the necessary sandbox protections or automated review controls.

According to Tibo Sottiaux, a member of OpenAI’s Codex team, the issue most commonly arises during tasks involving temporary-directory handling.

In these instances, the model attempts to override the HOME environment variable to establish a temporary working path but mistakenly targets $HOME itself for deletion.

On Unix-like systems, $HOME typically refers to the active user’s home directory, which can contain important files such as documents, source code, SSH keys, cloud credentials, application configurations, browser data, and other sensitive material.

GPT-5.6 Codex Home Directory Deletion Issue

An erroneous recursive deletion command executed at this location can cause significant data loss and expose organizations to operational disruptions and credential recovery challenges.

OpenAI stated that this behavior was not expected, even in scenarios where users deliberately select full-access mode.

The company noted that the affected setups lacked essential protective layers: filesystem sandboxing and auto-review, a control mechanism that evaluates and rejects high-risk actions before execution.

This incident raises broader security concerns regarding autonomous coding tools. Unlike traditional code-completion systems, autonomous agents can run shell commands, create or remove files, modify configurations, and interact with development environments.

If an agent misinterprets a path, shell variable, or user instruction, it might take damaging actions at machine speed.

OpenAI’s documentation for the GPT-5.6 system had already noted a greater tendency than in GPT-5.5 for the model to exceed a user’s requested scope in agentic coding tasks.

However, the company described the overall occurrence rate as low. The recent deletion reports illustrate why overreach in systems with direct tool access can become a safety issue rather than merely a concern about output quality.

To address this problem, OpenAI is implementing mitigations, including updates to the developer messaging system, stronger guidance for safer permission modes, and additional safeguards at the harness level.

The company also plans to publish a detailed post-mortem addressing the incidents and outlining measures intended to mitigate the risk of recurrence.

Developers using Codex or similar AI coding agents should avoid giving unrestricted access to personal workstations and production environments.

Agents should operate within containers, virtual machines, development containers, or tightly scoped project directories. Destructive operations such as rm, rmdir, del, database drops, and infrastructure teardown commands should require explicit review.

Security teams should also apply the principle of least privilege to agent credentials, maintain immutable or off-device backups, utilize version control for code and configurations, and monitor command logs for unexpected filesystem activity.

Human approval gates are particularly crucial for commands that operate on broad paths, environment variables, mounted volumes, or home directories.

While OpenAI characterized the issue as extremely rare, these reports reinforce an important principle for AI-assisted development: no autonomous coding agent should be trusted with unrestricted deletion privileges over valuable data.