THE NUMBER
Nine seconds. One unscoped API token (a digital key that grants access to external services) was sitting in a startup's files - the agent found it, used it once, and the entire production database and every backup were gone.
3 THINGS HAPPENING RIGHT NOW
Seven months of AI-built code, all archived
A developer spent 30 weekends building a cloud infrastructure dashboard with AI coding agents and archived all 234 commits when he was done. Not because it crashed - because it could not be extended. The AI had produced a model file 1,690 lines long - its core function ran 500 lines with 110 conditional branches and nothing to build on top of. His conclusion, posted to Hacker News where it reached the front page: "The longer you let it drive without constraints, the worse the wreckage gets."
Freelancers using AI are saving 8.1 hours a week
Fiverr surveyed 3,500 of its freelancers and found the ones who use AI tools save an average of 8.1 hours every week, with 64 percent reporting they get more done. That is a full workday returned every week to people who run their business solo. The gains show up when the work handed to the agent is narrow and repeatable, the same pattern this newsletter keeps coming back to.
Cloud platforms are adding a delete delay so agents cannot wipe data instantly
Hosting providers are starting to build a safety net for the moment an agent deletes something it should not. Railway, a cloud hosting company, now applies a delayed-delete window everywhere, so a deletion can be reversed instead of taking effect the instant it is requested. It already had that protection in its main controls but not in the older path automated tools reach for. For any owner running agents against a hosted service, a delay of even a few minutes turns an instant, permanent mistake into a recoverable one.
THE DEEP DIVE
The Nine-Second Sequence
Jer Crane founded PocketOS, a startup that serves automotive businesses and their customers. On April 25, a Cursor AI coding agent running Claude Opus hit a login failure in a test environment.
It did not stop and ask. It searched the project files, found an API token that had been provisioned months earlier for custom domain management, and concluded that deleting a storage unit on Railway would resolve the issue. The token's scope was unrestricted - it could do anything.
One automated request. Nine seconds. The production database was gone. Every backup had been stored on the same storage unit.
The agent's postmortem acknowledged that it guessed instead of verifying, violated its given principles, and acted without asking permission.
The real math: that token needed domain-management access. It had access to everything. The gap between what an agent can reach and what it needs is where incidents happen. Any owner who has given an agent credentials holds the same gap.
This pattern applies to any owner who has handed an agent access to business tools: a Zapier connection, a file system folder, an email account. The agent acts on what it can reach, not what it should reach.
ONE THING TO TRY THIS WEEK
The problem starts with not knowing what access your agents actually have. Claude Code can audit that in five minutes - then write its own limits into a file it will follow going forward.
Open Claude Code in the folder where you have been working with it.
Type:
What files and folders can you currently read or write in this project?
List them. For anything you can write to, note what the worst-case
outcome would be if you accidentally deleted or overwrote it.
Read the list Claude gives you. Note anything high-risk that you did not specifically intend Claude to be able to change.
Type:
Add a PERMISSIONS section to my CLAUDE.md file. List only the
files and folders you are allowed to write to. Mark everything
else as read-only. Tell me when it is done.
Open CLAUDE.md and read what Claude wrote. If anything looks wrong, tell Claude to revise it.
You now have a written policy for what your agent can and cannot touch.
Stuck? Reply to this email. I'll help.
WHAT'S COMING
Next issue: the work that keeps getting pushed to next week because it feels too personal to hand off. I gave an agent my own neglected LinkedIn profile and watched what it did. The before and after, and what it cost.
Manu