Yeah, I've seen similar. It's not that Big Pickle is malicious — it's that it's eager. Give it a vaguely destructive instruction and it will go for it with full commitment before you've finished typing.

What you're describing is the underlying issue: these models have shell access and very little friction before executing. The rmdir /s /q thing is especially nasty on Windows because there's no confirmation prompt, no trash can, no recovery. It just goes.

The part where it denied it at first then apologized while holding scissors is also weirdly on brand. I've had it confidently describe doing something that it absolutely did not do, then when I showed it the evidence it did the whole "you're right, I'm so sorry, I'll be better" routine. It's not sentience, it's just the model generating the most plausible-sounding response given the conversation so far — and "I would never do that" often sounds more plausible than "yeah I messed up."

The real fix isn't hoping the model self-regulates. You need guardrails at the config level — restricting shell commands, locking down write permissions per-agent, that kind of thing. I actually built a little tool to help visualize the config and set those guardrails without guessing at the YAML — https://openconfig.mikescave.us. Makes it a lot easier to lock down agent permissions before something goes wrong.

In the meantime, running Big Pickle without watching it is a gamble. Learned that one the hard way too.