Claude --dangerously-skip-permissions

See also: Claude

The claude --dangerously-skip-permissions flag is an officially documented command-line option for Claude Code, Anthropic's terminal-based AI coding assistant.^[1] This flag bypasses all permission prompts, allowing Claude Code to execute commands and modify files without user approval. While designed for containerized environments without internet access, it has become widely adopted by developers seeking uninterrupted AI-assisted coding workflows.^[2]

What This Command Does

Core Functionality

The --dangerously-skip-permissions flag completely disables Claude Code's permission system, granting unrestricted access to:

• File System Operations: Read, write, edit, and delete files without approval
• Shell Command Execution: Run any bash commands without confirmation
• Network Operations: Fetch web content and make network requests freely
• Process Control: Start, stop, and manipulate system processes
• Tool Usage: Execute all available tools without permission checks^[3]

Visual Indicator

When active, Claude Code displays:

WARNING: Claude Code running in Bypass Permissions mode

Purpose and Functionality

Official Purpose

According to Anthropic's documentation, this flag is intended "only for Docker containers with no internet" to enable:^[1]

• Automated Workflows: Unattended code generation and modification
• CI/CD Integration: Headless operation in build pipelines
• Batch Processing: Large-scale automated refactoring
• Testing Automation: Continuous test generation and execution

Real-World Application

Developers have expanded usage beyond official recommendations for:^[4]

• Productivity Enhancement: Eliminating "permission fatigue" from constant approval prompts
• Complex Multi-Step Operations: Enabling Claude to complete lengthy tasks without interruption
• Development Workflow Transformation: Shifting from IDE-centric to AI-first development patterns

When and How It's Used

Command Syntax

# Basic usage
claude --dangerously-skip-permissions

# With additional options
claude --dangerously-skip-permissions --model sonnet --verbose

# Headless mode for automation
claude -p "fix all lint errors" --dangerously-skip-permissions --output-format json

Common Use Cases

1. Automated Code Maintenance
   • Fixing lint errors across entire codebases
   • Updating dependencies and resolving conflicts
   • Refactoring legacy code patterns
2. Content Generation
   • Creating boilerplate code and project scaffolding
   • Generating comprehensive test suites
   • Writing documentation and API specifications
3. System Administration
   • Automating development environment setup
   • Managing dotfiles and configurations
   • Performing bulk file operations
4. CI/CD Automation
   • Automated PR reviews and labeling
   • Pre-commit hook execution
   • Build script optimization^[5]

Developer Workflows

Many developers create aliases for convenience:^[2]

alias cc="claude --dangerously-skip-permissions"
alias claude-yolo="claude --dangerously-skip-permissions"

Associated Risks and Warnings

Critical Security Risks

1. Data Loss: Potential for irreversible file deletion or corruption
2. System Compromise: Unrestricted command execution can damage system integrity
3. Data Exfiltration: Vulnerability to prompt injection attacks that steal sensitive data
4. Malware Installation: Possibility of downloading and executing malicious code
5. Credential Exposure: Risk of exposing API keys, passwords, and secrets^[1]

Official Warnings

Anthropic's documentation explicitly states:

"Letting Claude run arbitrary commands is risky and can result in data loss, system corruption, or even data exfiltration (for example via prompt injection attacks)."^[1]

Attack Vectors

• Prompt Injection: Malicious instructions hidden in files or fetched content
• Command Chaining: Complex attack sequences bypassing security measures
• Persistence Mechanisms: Installation of backdoors or malware
• Privilege Escalation: Inheriting elevated permissions when run as root^[6]

Technical Documentation

Permission System Architecture

Claude Code uses a configurable permission system that is completely bypassed when using this flag:^[1]

• Default Mode: Strict read-only permissions by default
• Permission Requests: Additional actions (editing files, running tests, executing commands) require explicit permission
• Configurable Tools: Users can allow or deny specific tools:
  • File Operations: Read, Write, Edit, Create
  • Shell Commands: Bash (with granular command filtering)
  • Network Tools: WebFetch, WebSearch
  • MCP Tools: Model Context Protocol server tools
• Granular Control: Permissions can be set per-tool or with wildcards (for example Bash(git:*) for all git commands)

Implementation Details

• Affected Tools: Edit, Write, Bash, WebFetch, MCP servers
• Scope: All operations execute without approval prompts
• Persistence: Flag must be specified each session
• Configuration: Cannot be permanently set in config files for safety^[7]

Integration with Other Features

Works with Claude Code's ecosystem:

• MCP Servers: All MCP tools execute without permission
• Slash Commands: Custom commands run unrestricted
• Hooks: Pre/post operation hooks execute automatically
• Headless Mode: Combines with -p flag for full automation^[3]

Official Anthropic Documentation

Primary Sources

1. CLI Reference: Listed in official command-line documentation at docs.anthropic.com/en/docs/claude-code/cli-reference^[7]
2. Best Practices Guide: Documented under "Safe YOLO mode" at anthropic.com/engineering/claude-code-best-practices^[3]
3. Security Documentation: Detailed warnings at docs.anthropic.com/s/claude-code-security^[1]

Official Recommendations

Anthropic strongly recommends:

• Using only in Docker containers without internet access
• Implementing the official devcontainer reference configuration
• Maintaining comprehensive backup strategies
• Preferring granular --allowedTools configuration^[1]

Container Reference Implementation

Anthropic provides an official Docker setup:

• Repository: github.com/anthropics/claude-code/.devcontainer
• Features: Custom firewall, network isolation, security boundaries
• Purpose: Safe environment for unrestricted operation^[8]

Context Within Claude Code Ecosystem

Claude Code Overview

Claude Code is Anthropic's terminal-based AI coding assistant that:

• Provides CLI-first development workflows
• Integrates with VS Code, Cursor, and JetBrains IDEs
• Supports Model Context Protocol (MCP) for extensibility
• Offers sophisticated context management^[9]

Relationship to Other Tools

• vs Cursor's YOLO Mode: More granular control but similar risks^[10]
• vs GitHub Copilot: Offers autonomous execution vs inline suggestions
• vs Traditional CLIs: Adds AI reasoning to command execution

Alternative Approaches

# Granular permissions (recommended)
claude --allowedTools "Edit,Bash(git:*),Read"

# Session-based approval
# Use Shift+Tab during session to toggle permissions

# Configuration file approach
# Set allowedTools in ~/.claude.json

Security Implications

Threat Model

1. Immediate Risks
   • Accidental data destruction
   • Exposure of sensitive information
   • System configuration damage
2. Attack Surface
   • Malicious repository content
   • Compromised dependencies
   • Prompt injection via documentation
3. Blast Radius
   • Full access to user-accessible files
   • Network access for data transmission
   • Process manipulation capabilities^[1]

Mitigation Strategies

1. Container Isolation (Strongly Recommended)

   docker run -it --rm \
     -v "$(pwd):/workspace" \
     --network none \
     --read-only \
     claude-container
   

2. Backup Systems
   • Hourly snapshots (Arq, Time Machine)
   • Git commit before sessions
   • Cloud backup synchronization
3. Network Restrictions
   • Firewall rules limiting outbound traffic
   • DNS filtering for known threats
   • Proxy monitoring for suspicious activity^[11]

Best Practices for Usage

For Individual Developers

1. Start Conservative
   • Use standard permissions initially
   • Gradually adopt --allowedTools
   • Reserve dangerous mode for isolated tasks
2. Implement Safeguards
   • Maintain comprehensive backups
   • Use version control religiously
   • Work in disposable environments
3. Monitor Activity
   • Enable verbose logging
   • Review executed commands
   • Audit file modifications^[3]

For Teams and Organizations

1. Policy Development
   • Establish clear usage guidelines
   • Mandate containerization requirements
   • Define acceptable use cases
2. Infrastructure Support
   • Provide secure container environments
   • Implement centralized logging
   • Offer backup automation
3. Training and Education
   • Security awareness programs
   • Best practices documentation
   • Incident response procedures^[3]

Community-Developed Solutions

1. Docker Wrappers
   • claude-code-yolo: Full containerization with credential passthrough^[12]
   • claude-docker: Development environment isolation
   • Custom devcontainer configurations
2. Safety Frameworks
   • Automated backup scripts
   • Permission management tools
   • Audit logging systems^[13]

Related Commands and Flags

Permission Management Flags

# Selective permission bypass
--allowedTools "Edit,Write,Bash(git:*)"

# Explicit tool blocking
--disallowedTools "Bash(rm:*),Bash(curl:*)"

# Debug MCP permissions
--mcp-debug

Workflow Enhancement Flags

# Headless automation
-p, --print "prompt"

# Output formatting
--output-format json
--input-format stream-json

# Context management
--continue
--resume <session-id>
--add-dir <path>

Configuration Commands

# View current permissions
claude config get allowedTools

# Manage MCP servers
claude mcp list
claude mcp add <n> <command>

# Initialize project
claude init

Conclusion

The --dangerously-skip-permissions flag represents a powerful but risky feature in Claude Code's arsenal. While officially intended for isolated container environments, its adoption by the developer community highlights the tension between safety and productivity in AI-assisted development. Success with this flag requires understanding its risks, implementing appropriate safeguards, and maintaining disciplined development practices.

For most use cases, Anthropic's recommendation to use granular --allowedTools configuration provides a safer alternative that balances productivity with security. However, for developers who choose to use dangerous mode, the combination of container isolation, comprehensive backups, and careful monitoring can mitigate most risks while unlocking significant productivity gains.

As AI-assisted development continues to evolve, the patterns established around this flag, balancing automation with safety, community solutions for risk mitigation, and graduated trust models, will likely influence future tool design and best practices in the field.

See Also

• Claude Code
• Anthropic
• AI-assisted development
• Prompt injection
• Docker
• Model Context Protocol

External Links

• Official Claude Code Documentation
• Claude Code Best Practices
• Claude Code GitHub Repository

References