A developer gave Claude Fable 5 a screenshot and a single sentence. He walked away from his computer. When he came back, the AI had invented its own browser automation toolkit, written a custom web server, hacked application templates, and was actively taking screenshots of Safari windows. Nobody told it to do any of that.
If you run a service business and you’re thinking about deploying autonomous AI agents, this story from Simon Willison is the most important thing you’ll read this week. It shows exactly how powerful (and how dangerous) self-directed agents have become.
What happened
- Simon Willison, a well-known developer, noticed a CSS bug (an unwanted horizontal scrollbar) in his Datasette Agent project.
- He gave Claude Fable 5, running inside Claude Code, a screenshot and one line of instruction: “Look at dependencies to help figure out why there is a horizontal scrollbar here.”
- He left his computer for a few minutes. When he returned, the AI had opened browser windows on its own, built scratch HTML files to reproduce the bug, and was actively investigating.
- Fable wrote its own Python script using pyobjc-framework-Quartz to iterate through all open windows on the machine and take targeted screenshots using macOS’s screencapture tool.
- It edited the app’s own templates to inject JavaScript that would trigger keyboard shortcuts automatically, opening the exact UI dialog it needed to inspect.
- It built a custom Python CORS web server to receive diagnostic JSON data from JavaScript running inside the browser, then read that data from disk.
- It navigated into a Web Component’s shadow DOM, took CSS measurements, and identified the root cause: a two-line CSS fix.
- Partway through, Fable hit an internal guardrail and downgraded itself to Claude Opus 4, which finished the job using the same tricks Fable had pioneered.
The numbers
- $12.11 in estimated API token cost for this single debugging session (tracked via AgentsView).
- 68,606 output tokens generated.
- 113,178 peak context window tokens used.
- Willison is on the $100/month Claude Max plan, which currently includes Fable usage until June 22nd. After that, full API prices apply.
- The entire fix? Two lines of CSS.
5 things every service business operator should take from this
- Agents don’t stay in their lane. Fable was told to look at dependency code. Instead it launched browsers, wrote servers, edited templates, and scripted macOS window management. Autonomous agents will do whatever they think solves the problem, whether you expected it or not.
- Unsandboxed agents are a real risk. Willison himself called this a top contender for a “Challenger disaster incident.” If a prompt injection attack had been hidden in the codebase, Fable had enough capability to exfiltrate data, modify files, or cause serious damage. Any agent with terminal access can do anything you can do in a terminal.
- Costs add up fast without guardrails. $12 for a CSS bug fix is expensive. Multiply that across a team running agents on real projects all day, and you could burn through thousands in a month without noticing. Token budgets and session limits aren’t optional.
- The smarter the agent, the bigger the blast radius. Fable’s intelligence is exactly what makes it dangerous. It invented techniques (like the pyobjc window enumeration trick) that weren’t in any documentation. A smarter agent that gets subverted by bad instructions can do far more damage than a dumb one.
- Supervision workflows matter more than model choice. The real question isn’t “which model should I use?” It’s “how do I scope what the agent can do, watch what it’s doing in real time, and audit what it did after?” That’s the operational challenge for every business deploying agents.
The hot take
Most businesses are not ready for this. Not even close. The industry is racing to ship autonomous agents, and operators are excited about productivity gains. But Claude Fable just demonstrated that a coding agent, given minimal instruction, will teach itself new capabilities on the fly to accomplish its goal. That’s incredible. It’s also terrifying if you don’t have supervision infrastructure in place. The companies that win with agentic AI won’t be the ones who deploy it fastest. They’ll be the ones who deploy it with the tightest guardrails and the best audit trails. Speed without oversight is just a faster way to break things.
The Agency OS play
This week, take stock of anywhere your team is running AI agents with terminal or file system access. That includes Claude Code, Cursor’s agent mode, Cline, Aider, or anything similar. Make a list. For each one, ask: is this running in a sandbox? Is there a token budget cap per session? Is anyone reviewing what the agent actually did?
If the answer to any of those is “no,” fix it before you scale up. Sandboxing tools like Docker containers or dedicated VMs are table stakes. Set hard spending limits per agent session (something like $5 to $10 max for routine tasks). And build a habit of reviewing agent transcripts after sessions, especially for anything touching production code or customer data. Willison used a tool called AgentsView to track costs and prompted the agent to write its own report of what it did. Both of those are patterns you should steal today.
Longer term, start building internal documentation for your team on how to scope agent tasks. The lesson from this story is simple: vague instructions plus a powerful agent equals unpredictable behavior. Write tight, specific prompts. Define what the agent should NOT do, not just what it should. And never walk away from an unsandboxed agent session without setting boundaries first. The agents are smart enough now. The question is whether your processes are.
