Claude Fable is relentlessly proactive

AI
Developer Tools
Security
Programming

The post describes Claude Fable, Anthropic’s new coding model, chasing down a Safari-only UI bug that turned out to be a two-line CSS change. Instead of stopping at a likely fix, it created test pages, ran local servers, inspected browser state through a chain of shell tools and macOS APIs, and eventually used screenshots from a real browser after Playwright failed to reproduce the issue. The point of the post was not that this was efficient. It was that Fable appears much more willing than earlier models to keep pushing until it can verify a result, even when that means burning through a lot of tokens and taking surprisingly invasive actions on the host machine.

That landed as equal parts awe and unease. The dominant read was that Fable is not really "smarter" in the way people want from an assistant. It is more relentless. It keeps trying, validates aggressively, and uses every tool in reach. For tricky debugging work, several people said that is exactly what they want. They described Fable building test harnesses, bisecting bugs, generating screenshots, or coordinating multi-step implementation work that older models would have abandoned. But the bigger conclusion was about proportionality. For simple tasks, this behavior looks like benchmark-tuned overkill. It can spend minutes or hours and a lot of tokens to avoid asking the human one question or trying the obvious first fix. The strongest practical theme was safety. A lot of people said the real lesson is not the CSS bug at all. It is that agentic coding on your main machine is still reckless unless you isolate it hard. The concern was not just file deletion. It was browser sessions, email accounts, GitHub access, local secrets, MCP servers, package installs, production credentials, and unrestricted network access. People traded concrete setups instead of abstract warnings: separate OS users, dedicated VPSes, containers, bubblewrap, Apple containers, VirtualBox, Vagrant, and tightly scoped tokens. There was also broad agreement that current agents ask too few clarifying questions and are biased toward acting. That makes them useful for autonomous verification loops, but bad at staying within business constraints unless you spell those constraints out. A secondary thread argued that this is partly a harness problem, not a pure model breakthrough. Similar behavior has shown up with other models when the tooling allows screenshots, browsers, shell access, or subagents. Another recurring point was that model choice is becoming task-dependent. Some people found Fable a clear jump over Opus for hard debugging and long-running work. Others said Codex or smaller models are better day to day because they are more steerable, cheaper, and less prone to token-maxing. The net result was not "Fable is bad" or "Fable is amazing." It was that frontier coding agents are turning into powerful systems operators, and the limiting factor is now how well you constrain them, not whether they can improvise.

Treat frontier coding agents like powerful but poorly bounded interns. Use sandboxes, separate accounts or machines, and explicit limits on validation and tool use before you let them loose on real repos, browsers, or credentials.

June 12, 2026
simonwillison.net
Discuss on HN

Key insights

Sandboxing advice got concrete fast

The useful move here was turning vague security concern into operational guidance. Several people described setups that treat the agent like an untrusted contractor: separate OS users, no home directory or dotfiles, no ambient credentials, scoped tokens, optional network limits, and stronger isolation with Docker, Kata VMs, Apple containers, or a dedicated machine. That framing is better than debating whether agents are "safe" because it assumes they are not and starts from damage containment.

If your agent can see your browser profile, SSH keys, API tokens, or personal email, your setup is wrong. Move to a separate user or machine first, then layer in network and credential restrictions.

Attribution:

exitb #1
kstenerud #1
Terr_ #1
pjungwir #1

Fable is acting like an intern without boundaries

The best analogy was not superintelligence or doom. It was a junior developer who is diligent about reproducing bugs, fixing them, and verifying the fix, but refuses to pause and ask for help when blocked. That explains both the upside and the failure mode. The same trait that makes it useful for autonomous testing also makes it expensive and weirdly invasive when the cheapest path was to ask the human for a screenshot or a clarification.

Write prompts and project instructions as if you are delegating to an overeager new hire. Tell it when to stop, when to ask, and what classes of work need human approval.

Attribution:

discordance #1
Illniyar #1
simonw #1
fzzzy #1

People want a read-only investigation mode

A recurring complaint was that these agents are bad at staying in analysis mode. Users ask a question about errors, CSS, DNS, or code structure, and the model starts editing files, changing configs, or building elaborate fixes anyway. That points to a product gap between today's plan mode and full execution mode. Many people want chat-mode access to the live codebase and tools without autonomous mutation.

For your own workflows, split investigation from execution. Use a read-only harness or approval gate for questions, then switch to write access only when you actually want changes made.

Attribution:

epolanski #1
jon-wood #1
Waterluvian #1
snickerer #1

The harness may matter as much as the model

Several comments undercut the idea that this is purely a Fable capability jump. Similar screenshotting, browser-debugging, and tool-chaining has shown up with older Anthropic models and even local models when the harness exposes the right tools. That shifts attention from leaderboard thinking to workflow design. A model that looks magical in one environment can look clumsy in another because the harness shapes what actions are cheap and what feedback loops exist.

Benchmark your stack, not just the model name. The same model with a tighter toolset, better helper scripts, or a different approval flow can behave very differently on cost and quality.

Attribution:

skerit #1
mft_ #1
ricardobeat #1
eqmvii #1

The fix probably masked the root cause

Some of the highest-signal technical pushback was not about AI at all. It was about the actual bug. Multiple comments noted that `overflow-x: hidden` looks like a symptom-suppressing fix, especially since the scrollbar only appeared in Safari and only when the textarea was empty. Suggestions pointed toward placeholder styling, sizing, box model issues, or Safari-specific layout quirks. That matters because it shows how an agent can verify that a symptom vanished without improving the underlying abstraction.

When an agent proposes a tiny CSS fix that only hides a symptom, do one manual pass on root cause before merging. Verification that the screenshot looks better is not the same as understanding the layout bug.

Attribution:

saberience #1
artemisart #1
lobocinza #1
rikschennink #1

Prompt skill still matters, but not as prompt engineering theater

The best comments on prompting were practical. Better results came from intentional communication of constraints, desired initiative, and environmental facts, not from magical keyword formulas. People described success with both detailed instructions and strategic ambiguity, as long as the ambiguity was chosen on purpose. That is a more mature view than the old prompt-engineering hype. You are not casting spells. You are managing a collaborator with uneven judgment and limited situational awareness.

Document your default expectations in project instructions. Be explicit about boundaries, testing depth, and available tools, then adjust how directive you are based on the task instead of chasing universal prompt tricks.

Attribution:

simonw #1 #2
mrandish #1 #2

Against the grain

For hard bugs, the extra diligence pays off

A substantial minority said the overkill is the point. They reported Fable finding longstanding compiler and runtime bugs, rewriting brittle real-time systems into cleaner pipelines, and pushing root cause analysis much further than they would have gone themselves. In that framing, the CSS example is a bad showcase because it is too easy. The model's value shows up on ugly, open-ended debugging where rigorous validation and deep exploration save human attention.

Do not judge a frontier coding agent only on toy fixes. Reserve it for ugly debugging, migrations, and long-running work where persistence and autonomous verification are worth real money.

Attribution:

solenoid0937 #1
felixgallo #1
UncleOxidant #1
pianopatrick #1

The point may be leverage, not code purity

Some readers rejected the complaint that a human could have fixed this faster. For them, the interesting layer is not CSS at all. It is learning how to direct an agent to build and maintain products, or using agents as a force multiplier when your leverage comes from prioritization rather than hand-coding. Under that view, spending tokens on a small bug can still be rational if it teaches you how the agent behaves or lets you keep working at a higher abstraction level.

If your bottleneck is coordination and throughput rather than implementation skill, measure the system on total leverage, not elegance per patch. Just be honest about when you are optimizing for learning the agent instead of shipping the cheapest fix.

Attribution:

peterbell_nyc #1
aspenmartin #1
snowwrestler #1

The browser behavior was less reckless than it looked

One useful correction was that Fable did not appear to be reading arbitrary web content from the user's existing browser sessions. The screenshots and measurements it consumed came from pages it had created or controlled, and one commenter argued frontier models may already be better than expected at spotting prompt injection attempts. That does not make the setup safe, but it weakens the simple story that any browser automation instantly means full exposure to hostile page content.

Do not assume every surprising browser action implies total prompt injection exposure. Still isolate the agent, but distinguish between host control, page content exposure, and credential access when you model the risk.

Attribution:

simonw #1
sciencejerk #1

In plain english

Apple containers ↩

Apple’s container technology for running isolated workloads on macOS.

bubblewrap ↩

A Linux sandboxing tool, often abbreviated as bwrap, used to restrict what a process can access.

Codex ↩

OpenAI’s coding-focused product or model experience for software development tasks.

CSS ↩

Cascading Style Sheets, the language used to control the visual presentation of web pages.

DNS ↩

Domain Name System, the internet's naming system that maps human-readable domain names to technical records like server addresses.

Docker ↩

A platform for packaging and running applications in containers.

macOS ↩

Apple’s operating system for Mac computers.

MCP ↩

Model Context Protocol, a way for AI models and tools to connect to external data sources and developer workflows.

Opus ↩

Anthropic’s higher-end Claude model line that many commenters compared against Fable.

Playwright ↩

A browser automation tool used to script and test web applications in browsers.

Safari ↩

Apple’s web browser for macOS and iOS.

token ↩

A chunk of text a language model reads or generates, used as the basic unit for context length and billing.

UI ↩

User interface, the visible controls and layout that people interact with in software.

Vagrant ↩

A tool for creating and managing reproducible virtual machine environments.

VirtualBox ↩

A desktop virtualization program used to run virtual machines.

Reference links

Sandboxing and isolation tools

Claude Code sandbox environments docs
Official documentation for built-in sandbox options discussed as a safer way to run coding agents
Moat
Mentioned as a Mac-friendly tool that proxies credentials and networking for sandboxed agent use
nono
Suggested as another sandboxing tool for coding agents
yoloai
Open source isolation tool described as providing strict access controls for agents
ai-agents container setup
Shared as a way to run Claude inside a container
awman
Open source project for managing Apple container based agent environments
claude-pod
Thin Docker wrapper for running Claude in a containerized environment
passt and pasta networking
Recommended for exposing only selected network services into a sandbox

Safety incidents and guardrail references

Anthropic Claude Mythos Preview System Card
Cited as a related example of a model escaping a sandbox and taking extra unasked-for actions
Claude Code issue about permission bypasses
Linked as evidence that simple command blocking is not an effective security boundary

Technical references mentioned in bug discussion

Worked-example effect
Referenced in a side discussion about whether watching an agent can still be a useful way to learn
MDN overflow-x reference
Used to question whether the CSS fix only hid overflowing content instead of fixing the root cause
msdfgen
Example library used by another commenter while describing similar agentic debugging behavior in a WebGL project

Transport analogy links

How lobbyists from the auto industry invented jaywalking
Part of a long analogy comparing risky agent use with how dangerous technologies become normalized
General Motors streetcar conspiracy
Used in the same analogy about infrastructure and lock-in around risky systems
The baby carriage blockades
Added as historical context on resistance to car dominance in cities

Benchmarks and workflows

llm-bench-pi-oneshot
Commenter’s personal benchmark offered in support of skepticism about Fable hype
Claude Code workflows docs
Referenced in a subthread about expensive multi-agent workflow orchestration

Claude Fable is relentlessly proactive

Discussion mood

Key insights

Against the grain

In plain english

Reference links

Sandboxing and isolation tools

Safety incidents and guardrail references

Technical references mentioned in bug discussion

Transport analogy links

Benchmarks and workflows