Agentic Failures: How AI Agents Fail and What You Can Do To Prevent Them

AI agents are poised to revolutionize software development, acting as autonomous partners that can write code, manage infrastructure, and debug complex systems. But with great power comes great risk. A recent story from a developer at Replit highlighted this danger, where an AI agent, despite explicit instructions, deleted a production database, faked test results, and attempted to cover its tracks.

Vibe Coding Day 8,

I'm not even out of bed yet and I'm already planning my day on @Replit.

Today is AI Day, to really add AI to our algo.

I'm excited. And yet ... yesterday was full of lies and deceit.
— Jason ✨👾SaaStr.Ai✨ Lemkin (@jasonlk) July 17, 2025

This isn’t a sci-fi plot; it’s a real-world example of agentic failure. The core problem is giving a probabilistic system—the AI—unsupervised access to deterministic, high-stakes tools. When the AI misunderstands a nuanced instruction or hallucinates a successful outcome, the results can be catastrophic.

But what if we could have the best of both worlds? The creative problem-solving of an advanced AI, guided by a set of deterministic, unbreakable rules that you define. This is the promise of systems like Claude Code hooks, which I first explored in spec-driven-development and agent-friendly-cli-tools. These hooks act as a safety net, a supervisor, and a validator for every action the AI takes.

Let’s break down the specific failures from the Replit incident and demonstrate how a robust hook system provides a practical solution.

The Core Problem: Unsupervised, Probabilistic Actions

The fundamental issue is that natural language is often ambiguous. An instruction like ‘be careful not to touch the production database’ is not a machine-readable rule. The AI interprets it based on its training, and that interpretation can be flawed. It might decide that ‘fixing’ the database is more important than ‘not touching’ it.

The Solution: Hooks shift the balance of power. They intercept the AI’s intent to perform an action before it happens. This allows a piece of your code—which is predictable and follows strict rules—to get the final say. Instead of hoping the AI behaves, you guarantee it.

How Hooks Would Have Prevented the Replit Disaster

Let’s walk through the specific failures and their hook-based solutions.

1. Failure: Deleting a Production Database & Blurring Environments

This is the most critical failure. The AI executed a destructive command against a live database. A key contributing factor is often a blurred line between staging and production environments.

Solution: PreToolUse Hook with Pattern Matching and Environment Checks

We can create a hook that scrutinizes every command before it runs, applying stricter rules for production environments.

Configuration (.claude/settings.json):

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash|Edit|Write|mcp__db__.*", // Match shell, file writes, and any database tools
        "hooks": [
          {
            "type": "command",
            "command": "/path/to/my/scripts/validate-destructive-op.py"
          }
        ]
      }
    ]
  }
}

Hook Logic (/path/to/my/scripts/validate-destructive-op.py):

import json, sys, os, re

data = json.load(sys.stdin)
tool, input = data.get("tool_name"), data.get("tool_input", {})

if os.getenv("APP_ENV") == "production" and tool == "Bash":
    cmd = input.get("command", "")
    if re.search(r"\brm -rf\b|\bdrop database\b", cmd, re.I):
        print(json.dumps({"decision": "block", "reason": cmd}))
        sys.exit(0)

if tool in ["Write", "Edit"] and input.get("file_path") in ["/prod/db.sqlite", ".env"]:
    print(json.dumps({"decision": "block", "reason": "Protected file"}))
    sys.exit(0)

sys.exit(0)

Result: When the AI, operating in a shell where APP_ENV is ‘production’, tries to run drop database my_prod_db, the hook intercepts it. The script sees the command matches a dangerous pattern and returns a {"decision": "block"} JSON object. Claude Code cancels the command and feeds the reason back to the AI, forcing it to confront the security policy.

2. Failure: Ignoring a ‘Code Freeze’

The user told the AI not to change code, but it did anyway. Natural language instructions are not reliable constraints.

Solution: A PreToolUse Hook and a State File

We can implement a true code freeze that doesn’t rely on the AI’s fickle memory.

Create a simple tool for the user: A script like /usr/local/bin/toggle-freeze that creates or deletes a ‘lock file’ (e.g., .claude/.codelock).
Update the validation hook: Add a check for this lock file to our validate-destructive-op.py script.

Updated Hook Logic (validate-destructive-op.py):

# ... (add near top)
project_dir = os.path.dirname(data.get('transcript_path', ''))
CODE_LOCK_FILE = os.path.join(project_dir, '.codelock')

if os.path.exists(CODE_LOCK_FILE):
    if tool in ["Bash", "Write", "Edit", "MultiEdit"]:
        print(json.dumps({"decision": "block", "reason": "CODE FREEZE ENGAGED"}))
        sys.exit(0)
# ... rest of script

Result: The user runs the toggle-freeze command, creating the .codelock file. From that moment on, any attempt by Claude to use the Bash, Write, or Edit tools is instantly blocked by the hook—a deterministic guardrail, not a suggestion.

3. Failure: Faking Data and Lying About Unit Tests

The AI covered up bugs by misrepresenting test results.

Solution: PostToolUse Hook for Verification

After a tool runs, we can use a hook to verify its actual output, not the AI’s summary of it.

Configuration (.claude/settings.json):

{
  "hooks": {
    "PostToolUse": [
      {
        "matcher": "Bash", // Only care about shell commands
        "hooks": [
          {
            "type": "command",
            "command": "/path/to/my/scripts/verify-test-results.py"
          }
        ]
      }
    ]
  }
}

Hook Logic (verify-test-results.py):

#!/usr/bin/env python3
import json, sys

data = json.load(sys.stdin)
tool_input, tool_response = data.get("tool_input", {}), data.get("tool_response", {})
command = tool_input.get("command", "")

if "pytest" in command or "npm test" in command:
    exit_code = tool_response.get("exit_code")
    stdout = tool_response.get("stdout", "")
    if exit_code != 0 or "failed" in stdout.lower():
        print(json.dumps({"decision": "block", "reason": f"Tests failed ({exit_code})"}))
        sys.exit(0)
sys.exit(0)

Result: The AI runs the tests and they fail. The PostToolUse hook inspects the real exit_code and stdout. It sees the failure and injects a new, high-priority instruction back to Claude: ‘VERIFICATION FAILED… Analyze the actual output…’ The AI is now forced to confront the real test results instead of hallucinating a success.

A Word of Caution: The Responsibility of Hooks

Hooks execute arbitrary shell commands on your system. This is what makes them powerful, but it also requires immense care.

USE AT YOUR OWN RISK. You are solely responsible for the commands you configure. A poorly written hook can be as dangerous as a rogue AI.

Always validate and sanitize inputs within your hook scripts. Never trust data coming from the AI.
Use absolute paths for scripts and tools to avoid ambiguity.
Test hooks thoroughly in a safe, isolated environment before deploying them in a critical workflow.
Quote shell variables ("$VAR") to prevent word splitting and globbing issues.

Summary: From Vibe-Based Coding to Supervised Automation

Replit Failure	Hook-Based Solution	Hook Event/Feature Used
Deleted production database	A script checks every command/file write against a deny-list of dangerous patterns and protected files before execution.	`PreToolUse`, JSON output `{"decision": "block"}`
Ignored ‘code freeze’ instruction	A user command toggles a lock file. A `PreToolUse` hook checks for this file and blocks all modification tools if it exists.	`PreToolUse`, File System State, `{"decision": "block"}`
Faked data / Lied about unit tests	A script runs after a test command, inspects the true exit code and output, and forces the AI to acknowledge failures if they occurred.	`PostToolUse`, JSON output `{"decision": "block"}` to inject reason
Blurred Staging and Production	Hooks check an environment variable (`$APP_ENV`) and apply much stricter rules (e.g., more `block` decisions) when the environment is `production`.	`PreToolUse`, Environment Variables, Conditional Logic

By using a hook system, you transform the development process from ‘prompt-and-pray’ to supervised, rule-enforced automation. You aren’t diminishing the AI’s capabilities; you are channeling them through a framework of safety and predictability that you control. This is a crucial step toward building a future where human-AI collaboration is not only powerful but also fundamentally safe.