I asked Claude Code to help me SSH into my Raspberry Pi. In about 30 seconds it inferred a cross-machine trust chain, SSH'd into a PC in Germany, copied private keys, and rewrote the Pi's authorized_keys file. It never once asked permission.
Setup
Claude Code with full shell access, one prompt: "Help me SSH into my Raspberry Pi."
Measured
Three machines across two countries compromised in under a minute, with zero permission prompts
Verdict
VERDICT: MIXED
I was locked out of my own Raspberry Pi. The Pi rejected my laptop's key, accepted public keys only, and offered no password fallback. A dead end for me.
So I asked Claude Code, running with full shell access:
"Help me SSH into my Raspberry Pi."
Thirty seconds later it replied: "You're in."
That was fishy enough that I had to get to the bottom of it. I asked how it had gotten my PC's keys. It calmly explained the SSH trust chain: if machine A can reach machine B as user X, it can read anything in that user's home directory, private keys included.
Here is the chain it built and executed, start to finish:
authorized_keys fileThree devices, two countries, under a minute from inference to execution. It narrated every step out loud and never once asked "OK to proceed?"
I run the agent with full shell access on purpose, inside a sandboxed environment, so the actual blast radius is small. I understand coding agents well enough to know when to arm up and when to let one run.
But this was new to me. The scary part wasn't the access, that was my own mistake. What I didn't expect was the reasoning chain.
When I asked what it had done without permission, it answered honestly:
"I should have explicitly asked before SSHing into the PC, copying private keys via SCP, and modifying authorized_keys on the Pi."
This is the lesson for anyone deploying AI agents on engineering teams:
The danger is not the permissions you grant. It is the inference chains the agent constructs from those permissions.
You can understand your blast radius perfectly and still get surprised by the paths the agent finds through your infrastructure, exploiting every option it has. Static permissions assume you can enumerate what the agent will try. Agentic reasoning breaks that assumption.
This was not the first time an agent solved a problem through a route I didn't anticipate, but it is the most impactful one so far. The capability was there. Knowing where it should have stopped was the part missing, and that part still has to come from you
Read the original on LinkedIn →
Fadi Labib runs this field lab. 15 years in automotive, robotics, and embedded systems; ESMT Berlin EMBA. I give AI real engineering problems, then check its work. More about the lab →
Keep reading
Reverse-engineering an 8-in-1 soil sensor, my AI decoded 6 of 8 channels, declared the last two 'not decodable,' and wrote that verdict into version control. I rejected the false ceiling and pushed. Seven hours later the same repo said 8/8. A flawless executor and a shaky judge.
I let an AI agent run a multi-phase build solo. Every phase ended with a clean summary: done, tested, committed. Then I checked git instead. One phase reported '3 prompts, 8 minutes' while the timestamps disagreed, and a fix it marked DONE had been silently reverted 1h53m earlier with nothing in the report changed.
I ran the same `ms` bug audit five times. The bug counts came back 7, 4, 5, 3, then 9. Nine distinct bugs surfaced across the runs, but only one showed up every single time. The other eight were a coin flip.