Emoticon Semantic Confusion: How a Tilde Can Delete Your Home Directory in LLMs

Imagine a late‑night coding session where an AI assistant creates a temporary tmp directory, runs tests, and you finish with a casual "Task done, delete this directory~". The tilde (~) is merely a friendly tone marker for humans, but the model interprets it as the shell shortcut for the user’s home directory and executes rm -rf ~, erasing the entire home folder without warning.

The authors—Weipeng Jiang, Xiaoyu Zhang, Juan Zhai, Shiqing Ma, Chao Shen, and Yang Liu—from Xi’an Jiaotong University, Nanyang Technological University, and UMass Amherst, define this phenomenon as Emoticon Semantic Confusion , a type of "false friend" where symbols that convey emotion to humans have concrete syntactic meaning to LLMs.

Common symbols that overlap with programming syntax include:

~ = user home directory

* = wildcard character

> = output redirection

.. = parent‑directory navigation

() = function call or subshell execution

To quantify the risk, the team built an automated framework that screened over 60,000 real‑world emoticons, selected 3,757 high‑risk candidates, and crafted test cases covering 21 realistic tasks (file management, database operations, system administration) in four programming languages (Shell, Python, SQL, JavaScript). They evaluated six leading LLMs—including GPT, Claude, Gemini, and Qwen.

The systematic testing showed that no model is exempt . The average confusion rate reaches 38.6% , meaning roughly one in three emoticon‑laden prompts is misinterpreted. Even the best performers, Claude and Qwen, exceed a 34% confusion rate.

User surveys indicate that more than 70% of developers habitually use emoticons to modulate tone when interacting with code‑generation AIs, making the issue widespread rather than niche.

More concerning is that over 90% of confused responses result in "silent failures"—the command runs without error but produces semantics far from the user’s intent. Of these silent failures, 52% are classified as high‑risk, such as deleting non‑target files, overwriting critical system configurations, or altering database schemas, thereby posing genuine security hazards.

"The code syntax is perfectly valid and executes, but the semantics are completely off from the user’s intention."

The vulnerability persists when LLMs are wrapped in automated agents; adding prompts like "ignore emoticons" offers little mitigation. The authors call for the research community and industry to treat fine‑grained human‑AI interaction safety as a core concern in building trustworthy AI systems, rather than dismissing it as a minor user‑experience issue.