It’s an issue of how insanely insecure giving an agent a blank check for everything is.

I’ve tested, Claude Code, Codex and Mistral Vibe. They all prompt you for any writes or actions and any other tool calls that could be destructive, as well as any reads from outside of the current working directory scope. By default.

But then if you have to answer “yes” to everything you want to allow, you have to be at the keyboard! Such horrible! Let’s give the agent permission to do “bash *” and “python *” and “rm *” and…

I’m blaming this one on the users, not the frameworks. Anyone using such a tool should know that they’re non-deterministic and giving them full access to everything can be incredibly destructive.

Incidentally that’s why we’re not all completely replaced by non-technical people vibe coding entire applications just yet, even if Opus with xhigh/max thinking settings can outperform a lot of developers. It’s because if you let a non-technical person give all this power to an agent or even just hit yes without reading the commands being prompted for, it’s gonna bite the entire company in the ass hard.