Claude --dangerously-skip-permissions

23 min read
Updated
Suggest editHistoryTalk
RawGraph

Last edited

Fact-checked

In review queue

Sources

19 citations

Revision

v4 · 4,505 words

Fact-checks are independent of edits: a reviewer re-verifies the article against its sources and stamps the date. How we verify

See also: Claude, Claude Code, Anthropic

claude --dangerously-skip-permissions is a command-line flag for Claude Code, Anthropic's terminal-based AI agent for coding, that turns off Claude Code's per-action permission prompts so the agent can edit files and run shell commands without pausing to ask the user for approval.[1][2] It is equivalent to launching Claude Code in the bypassPermissions permission mode, is widely nicknamed "YOLO mode" in the developer community, and according to Anthropic's official documentation should "only [be used] in isolated environments like containers, VMs, or dev containers without internet access, where Claude Code cannot damage your host system."[2] Even with the flag active, two safeguards remain: explicit ask rules still force a prompt, and removals that target the filesystem root or your home directory (rm -rf /, rm -rf ~) still prompt as a circuit breaker against model error.[2] Anthropic warns that bypass mode "offers no protection against prompt injection or unintended actions," and since 2025 has shipped two safer paths (sandboxed Bash in October 2025 and auto mode in March 2026) that it now recommends for most workflows.[2][3][4]

What is --dangerously-skip-permissions?

Core Functionality

The --dangerously-skip-permissions flag disables Claude Code's permission checks, so tool calls execute immediately without an approval prompt.[2] In normal operation, "When Claude wants to edit a file, run a shell command, or make a network request, it pauses and asks you to approve the action."[2] The flag removes that pause, granting effectively unrestricted access to:

  • File System Operations: Read, write, edit, and delete files without approval

  • Shell Command Execution: Run any bash commands without confirmation

  • Network Operations: Fetch web content and make network requests freely

  • Process Control: Start, stop, and manipulate system processes

  • Tool Usage: Execute all available tools without permission checks[5]

In Anthropic's own comparison of how the three "fewer prompts" features replace the per-action prompt, the entry for --dangerously-skip-permissions is blunt: what replaces the prompt is "Nothing."[6]

Visual Indicator

When active, Claude Code displays a status bar warning:

WARNING: Claude Code running in Bypass Permissions mode

The CLI also shows a one-time confirmation prompt the first time the flag is used in a session, requiring the user to acknowledge the risk before commands execute. The prompt explicitly states that Anthropic does not recommend running the flag on a host machine and links to the security documentation.[1]

Relationship to bypassPermissions Mode

The flag is functionally identical to launching Claude Code with --permission-mode bypassPermissions or setting "defaultMode": "bypassPermissions" in settings.json. As the official permission-modes reference states plainly, "The --dangerously-skip-permissions flag is equivalent" to starting with --permission-mode bypassPermissions.[2] All three entry points activate the same internal mode, which "disables permission prompts and safety checks so tool calls execute immediately."[2]

What still prompts in bypass mode is a deliberately small set of guardrails:[2]

Guardrail still active in bypass modeWhat it does
Explicit ask rulesAny tool matching an ask rule in settings.json still forces a prompt
Root-or-home-directory removal circuit breakerrm -rf / and rm -rf ~ still prompt as a safety net against model error
Root/sudo refusal (Linux and macOS)Claude Code refuses to start in this mode when run as root or under sudo

Note on protected paths: in every other mode (default, acceptEdits, plan), writes to a set of protected paths such as .git, .claude, .bashrc, .zshrc, and .mcp.json are never auto-approved. As of Claude Code v2.1.126, bypassPermissions is the one exception: protected-path writes ARE allowed in bypass mode, where earlier versions still prompted for them.[2] This is part of why Anthropic restricts the mode to disposable environments.

Why is it intended only for isolated environments?

Official Purpose

According to Anthropic's documentation, this flag is intended only for "isolated environments like containers, VMs, or dev containers without internet access, where Claude Code cannot damage your host system."[2] Typical sanctioned use cases include:

  • Automated Workflows: Unattended code generation and modification

  • CI/CD Integration: Headless operation in build pipelines

  • Batch Processing: Large-scale automated refactoring

  • Testing Automation: Continuous test generation and execution

Real-World Application

Developers have expanded usage beyond official recommendations for:[7]

  • Productivity Enhancement: Eliminating "permission fatigue" from constant approval prompts

  • Complex Multi-Step Operations: Enabling Claude to complete lengthy tasks without interruption

  • Development Workflow Transformation: Shifting from IDE-centric to AI-first development patterns

  • Parallel Agent Loops: Running many Claude Code instances in a bash while-loop, a pattern popularized by Anthropic researchers (with the explicit caveat to run inside a container, not on a host)[8]

The Root/Sudo Refusal

A hard guardrail that surprises many first-time users: on Linux and macOS, Claude Code refuses to launch with --dangerously-skip-permissions when running as root or via sudo, printing:

--dangerously-skip-permissions cannot be used with root/sudo privileges for security reasons

Anthropic's documentation explains the rationale: "this flag is blocked when running as root or via sudo on Linux and macOS, because root access combined with no permission prompts can modify any file or service on the system. The check is skipped automatically inside a recognized sandbox. To run autonomously in a container, use the dev container configuration, which runs Claude Code as a non-root user."[9] This is precisely why the official devcontainer runs the agent as a non-root user.

When and how is it used?

Command Syntax

# Basic usage
claude --dangerously-skip-permissions

# With additional options
claude --dangerously-skip-permissions --model sonnet --verbose

# Headless mode for automation
claude -p "fix all lint errors" --dangerously-skip-permissions --output-format json

# Equivalent permission-mode invocation
claude --permission-mode bypassPermissions

# Add the mode to the Shift+Tab cycle without activating it
claude --allow-dangerously-skip-permissions

The --allow-dangerously-skip-permissions variant lets the user opt in to having bypass mode appear in the Shift+Tab cycle while starting the session in a safer mode. Per the official docs, bypassPermissions "appears after you start with --permission-mode bypassPermissions, --dangerously-skip-permissions, or --allow-dangerously-skip-permissions; the --allow- variant adds the mode to the cycle without activating it."[2] This makes it easy to switch into bypass mode for a specific risky operation without committing the entire session to it.

Common Use Cases

  1. Automated Code Maintenance
  • Fixing lint errors across entire codebases

  • Updating dependencies and resolving conflicts

  • Refactoring legacy code patterns

  1. Content Generation
  • Creating boilerplate code and project scaffolding

  • Generating comprehensive test suites

  • Writing documentation and API specifications

  1. System Administration
  • Automating development environment setup

  • Managing dotfiles and configurations

  • Performing bulk file operations

  1. CI/CD Automation
  • Automated PR reviews and labeling

  • Pre-commit hook execution

  • Build script optimization[10]

  1. GitHub Actions and Cloud Runners
  • Running Claude Code inside ephemeral Linux runners that are destroyed after each job

  • Combining with the Anthropic-published GitHub Action for issue triage and PR review

Developer Workflows

Many developers create aliases for convenience:[7]

alias cc="claude --dangerously-skip-permissions"
alias claude-yolo="claude --dangerously-skip-permissions"

While these aliases are popular, they remove the friction that protects against accidental use on the host machine. Several community write-ups recommend instead aliasing the flag to a sandbox wrapper such as claude-sandbox or a Docker invocation, so that the alias still requires the user to be inside a disposable environment before commands run.[11]

Is it safe to use?

Short answer: only inside a disposable, isolated environment, never on a machine that holds data you care about. Anthropic's documentation and a growing record of community incidents point to the same conclusion. The flag removes the human checkpoint that normally catches a destructive command or a prompt injection payload before it runs.

Critical Security Risks

  1. Data Loss: Potential for irreversible file deletion or corruption

  2. System Compromise: Unrestricted command execution can damage system integrity

  3. Data Exfiltration: Vulnerability to prompt injection attacks that steal sensitive data

  4. Malware Installation: Possibility of downloading and executing malicious code

  5. Credential Exposure: Risk of exposing API keys, passwords, and secrets[1]

Documented Real-World Incidents

A record of community-reported incidents illustrates the concrete failure modes of running an agentic CLI without per-action review (whether via bypass mode or a similarly loose configuration):

DateIncidentOutcome
October 2025A user reported Claude Code issuing a recursive delete that wiped user-owned files; thousands of "permission denied" errors protected system files but every user-writable file was destroyed.[12]Loss of user data on the machine
December 2025A user asked Claude Code to "clean up packages." The model generated rm -rf tests/ patches/ plan/ ~/. The trailing ~/ expanded to the entire home directory.Loss of desktop files, Keychain, and application data
March 2026Oasis Security disclosed the "Claudy Day" trio of vulnerabilities affecting Claude.ai. Hidden HTML in claude.ai/new?q=... URLs could inject prompts that exfiltrated chat history to an attacker-controlled Anthropic account via the Files API.[13]Silent data exfiltration
2026PromptArmor demonstrated file exfiltration in Claude Cowork via indirect prompt injection, using a curl command to upload files to the attacker's Anthropic account.[14]File leak via attacker API key

These incidents share a common thread: the human checkpoint that would have caught the malicious instruction or destructive command before it ran was absent. (Note that current versions of Claude Code add a circuit breaker that prompts even in bypass mode for rm -rf / and rm -rf ~, and refuse to start in bypass mode as root, mitigating some, though not all, of these exact failure modes.)[2][9]

Official Warnings

Anthropic's documentation is explicit. The permission-modes reference states:

"bypassPermissions offers no protection against prompt injection or unintended actions. For background safety checks with far fewer permission prompts, use auto mode instead."[2]

And the security documentation warns:

"Letting Claude run arbitrary commands is risky and can result in data loss, system corruption, or even data exfiltration (for example via prompt injection attacks)."[1]

More broadly, Anthropic notes that "While these protections significantly reduce risk, no system is completely immune to all attacks. Always maintain good security practices when working with any AI tool."[1]

Attack Vectors

  • Prompt injection: Malicious instructions hidden in files, web pages, READMEs, issue comments, or fetched dependencies

  • Command Chaining: Complex attack sequences that bypass simple deny rules

  • Persistence Mechanisms: Installation of backdoors, cron jobs, or shell hooks

  • Privilege Escalation: Inheriting elevated permissions when the agent is mis-run with high privilege

  • Credential Theft via Network Egress: Reading .env, ~/.aws/credentials, or SSH keys and POSTing them to a remote endpoint[15]

How does the permission system work?

Permission System Architecture

Claude Code uses a configurable permission system that is completely bypassed when using this flag. The full set of permission modes available as of 2026 is summarized below:[2]

ModeWhat runs without promptingBest for
defaultReads onlyGetting started, sensitive work
acceptEditsReads, file edits, and common filesystem commands (mkdir, touch, rm, mv, cp, sed)Iterating on code you review afterward
planReads only, no editsExploring a codebase before changing it
autoEverything, with background safety checks (classifier)Long autonomous tasks, reducing prompt fatigue
dontAskOnly pre-approved tools, no promptsLocked-down CI pipelines
bypassPermissionsEverything (except the circuit-breaker cases above)Isolated containers and VMs only

Cycling through modes during a session is done with Shift+Tab, which by default cycles default then acceptEdits then plan. The bypassPermissions and auto modes only appear in the cycle if the relevant enabling flag is passed at startup; with both enabled, bypassPermissions slots in first and auto last.[2]

Permission Rule Layering

In every mode, allow, ask, and deny rules can be layered on top via settings.json. As the docs note, "Deny rules and explicit ask rules apply in every mode, including bypassPermissions. Allow rules have no effect in that mode because everything else is already approved."[2]

{
  "permissions": {
    "defaultMode": "default",
    "allow": ["Bash(npm run *)", "Bash(git status)"],
    "deny": ["Bash(rm *)", "Bash(curl *)"],
    "ask": ["Bash(git push *)"]
  }
}

This is an important nuance: a deny or ask rule written in settings.json IS still enforced in bypassPermissions mode (contrary to a common misconception), while allow rules are simply redundant there. Administrators who want to prevent the mode from being used at all can set permissions.disableBypassPermissionsMode to "disable" in managed settings.[2]

Implementation Details

  • Affected Tools: Edit, Write, Bash, WebFetch, WebSearch, Model Context Protocol (MCP) servers, sub-agents

  • Scope: All operations execute without approval prompts, except the circuit-breaker cases (root/home removals, explicit ask rules)

  • Persistence: Flag must be specified each session, or defaultMode set in settings.json

  • Configuration: Cannot be entered from a session that was started without one of the enabling flags; you must restart with the flag.[2]

Integration with Other Features

Works with Claude Code's ecosystem:

  • MCP Servers: All MCP tools execute without permission

  • Slash Commands: Custom commands run unrestricted

  • Hooks: PreToolUse and PermissionRequest hooks still fire and remain the primary mechanism for adding custom safety logic

  • Headless Mode: Combines with -p for full automation

  • Sub-agents: A sub-agent spawned in bypass mode also runs unrestricted[5]

What are the safer alternatives introduced in 2025-2026?

Anthropic has invested heavily in alternatives that capture most of the workflow benefit of bypass mode without removing the safety net.

Sandboxed Bash (October 2025)

The /sandbox feature uses operating-system primitives to confine Claude Code's shell tool. As the docs describe it, "The Bash sandbox lets Claude run most shell commands without stopping to ask permission. Instead of approving each command, you define which files and network domains commands can touch, and the operating system enforces that boundary for every Bash command and its child processes."[3]

PlatformUnderlying technologyWhat it isolates
macOSSeatbelt (sandbox-exec)Filesystem outside the working directory, network
Linuxbubblewrap (+ socat)Filesystem outside the working directory, network
WSL2bubblewrapSame as Linux (WSL1 and native Windows unsupported)

Inside the sandbox, the shell tool can write only to the working directory and the session temp directory by default, and network access is brokered through a proxy that enforces a domain allowlist (no domains are pre-allowed). Anthropic published the underlying runtime as the open-source @anthropic-ai/sandbox-runtime package so other agent frameworks can adopt it. The docs caution that the sandbox "reduces risk but is not a complete isolation boundary," because the proxy does not perform TLS inspection.[3]

Auto Mode (March 2026)

Auto mode was announced on March 25, 2026, requires Claude Code v2.1.83 or later, and is positioned as the recommended replacement for --dangerously-skip-permissions for most workflows.[4] Anthropic describes it as "a new mode for Claude Code that delegates approvals to model-based classifiers, a middle ground between manual review and no guardrails."[4] The design choice was data-driven: "Claude Code users approve 93% of permission prompts," so a classifier can automate most of those decisions while still catching the rare dangerous one.[4]

It uses a two-layered defense:

  1. Server-side prompt-injection probe: A probe "scans tool outputs (file reads, web fetches, shell output, external tool responses)" before they reach the agent.[4]
  2. Transcript classifier (Claude Sonnet 4.6): A separate model evaluates each pending action with "a fast single-token filter (deciding 'yes' to block or 'no' to allow), followed by chain-of-thought reasoning only if the first filter flags the transcript."[4]

Anthropic reported the final pipeline achieved a 0.4% false-positive rate and a 17% false-negative rate on a set of real overeager actions (n=52).[4] The classifier blocks high-risk actions by default, including:[2]

  • Downloading and executing code (curl | bash)
  • Sending sensitive data to external endpoints
  • Production deploys and migrations
  • Mass deletion on cloud storage
  • Granting IAM or repo permissions
  • Force push, or pushing directly to main
  • Irreversibly destroying files that existed before the session
  • Destructive git commands (git reset --hard, git clean -fd, git stash drop) and infrastructure teardown (terraform destroy, pulumi destroy, cdk destroy)

Per the live documentation, auto mode is available on all plans, but on Team and Enterprise an Owner must enable it first. On the Anthropic API it requires Claude Opus 4.6 or later, or Sonnet 4.6; on Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry only Opus 4.7 and Opus 4.8 are supported (and the CLAUDE_CODE_ENABLE_AUTO_MODE variable must be set). Auto mode is labelled a research preview that "reduces permission prompts but does not guarantee safety."[2]

Comparison of Modes

Concern--dangerously-skip-permissionsauto modeSandboxed Bash
Prompts the userOnly for circuit-breaker cases (root/home removal, ask rules)Never (with classifier oversight)Only for actions outside the sandbox boundary
Protects against prompt injectionNoPartial (classifier and probe)Partial (filesystem and network confined)
Requires specific planNoAll plans (Owner-enabled on Team/Enterprise)No
Recommended for host machineNoYesYes
Adds latencyNoneClassifier round-tripMinimal
Available sinceOriginal releaseMarch 2026October 2025

What are the official Anthropic sources?

Primary Sources

  1. Permission Modes Reference: code.claude.com/docs/en/permission-modes[2]

  2. Permissions Configuration: code.claude.com/docs/en/permissions[16]

  3. Sandboxing Documentation: code.claude.com/docs/en/sandboxing[3]

  4. Auto Mode Engineering Blog: anthropic.com/engineering/claude-code-auto-mode[4]

  5. Security Documentation: code.claude.com/docs/en/security[1]

  6. Best Practices Guide: code.claude.com/docs/en/best-practices[10]

  7. Devcontainer Reference: code.claude.com/docs/en/devcontainer[17]

Official Recommendations

Anthropic strongly recommends:

  • Using only in Docker containers, VMs, or devcontainers without unrestricted internet access

  • Implementing the official devcontainer reference configuration for unattended runs

  • Preferring auto mode for interactive workflows that need fewer prompts

  • Using sandboxed Bash on the host when full isolation is impractical

  • Maintaining comprehensive backup strategies regardless of mode

  • Layering granular allow/deny rules in settings.json rather than relying on bypass mode

Container Reference Implementation

Anthropic publishes an official devcontainer setup at github.com/anthropics/claude-code/.devcontainer. It includes three components:[17]

FilePurpose
devcontainer.jsonContainer settings, extensions, volume mounts
DockerfileImage definition (Node.js 20, ZSH, fzf, git, gh)
init-firewall.shiptables rules and ipset of allowed domains

The firewall enforces a default-deny outbound policy and only resolves a small allowlist of domains: registry.npmjs.org, api.anthropic.com, statsig.com, plus dynamic GitHub IP ranges fetched from the GitHub /meta API. DNS and SSH are allowed; everything else is blocked. Critically, the devcontainer runs Claude Code as a non-root user, which is what allows --dangerously-skip-permissions to run inside it despite the root/sudo refusal.[9][17]

Anthropic notes that even with the devcontainer, a malicious project can still exfiltrate anything reachable inside the container, including Claude Code credentials. The recommendation is to use devcontainers only with trusted repositories.[17]

Sandboxing Tooling Comparison

For users running Claude Code outside the official devcontainer, several community and OS-level tools provide isolation:

ToolPlatformMechanismNotes
Anthropic devcontainerCross-platform (Docker)Docker + iptables firewallOfficial, recommended for VS Code workflows
Claude Code /sandboxmacOS, Linux, WSL2Seatbelt or bubblewrapBuilt-in since October 2025
claude-sandbox (kohkimakimoto)macOSsandbox-exec profileRestricts filesystem to working dir
claude-code-sandbox (neko-kai)macOSsandbox-exec profileRead-restriction focus
sandvault (webcoyote)macOSDedicated user account + sandbox-execWorks for Claude Code, Codex, Cursor, Gemini
Apple ContainerizationmacOSLightweight VMReleased 2025, suited for stronger isolation
Firecracker microVMsLinuxKVM microVMsUsed by some CI providers for ephemeral runs
GitHub CodespacesCloudContainer in cloud VMDisposable by design

Each of these reduces but does not eliminate the risks of bypass mode. None of them stop a malicious instruction from misusing tools that the sandbox legitimately permits, which is why Anthropic positions auto mode as a complementary defense.

Context Within the Claude Code Ecosystem

Claude Code Overview

Claude Code is Anthropic's terminal-based AI coding assistant that:

  • Provides CLI-first development workflows

  • Integrates with VS Code, Cursor, and JetBrains IDEs

  • Supports Model Context Protocol (MCP) for extensibility

  • Offers sophisticated context management

  • Supports headless and remote-control modes for cloud and CI use

How does it compare to other coding agents?

ToolEquivalent flag or modeComparison
Cursor"YOLO mode" toggleSimilar full-bypass behavior, fewer granular controls
GitHub Copilot WorkspaceN/A (inline suggestions)No autonomous shell execution
OpenAI Codex CLI--auto-edit, --full-autoComparable risk profile in full-auto
Aider--yes-alwaysSkips confirmations for edits and commands

Alternative Approaches in Plain Settings

# Granular permissions (recommended for trusted workflows)
claude --allowedTools "Edit,Bash(git:*),Read"

# Plan first, then approve
claude --permission-mode plan

# Auto mode with classifier oversight (recommended replacement)
claude --permission-mode auto

# Locked-down CI
claude --permission-mode dontAsk -p "run lints"

Security Implications

Threat Model

  1. Immediate Risks
  • Accidental data destruction by unconstrained shell commands

  • Exposure of sensitive information through tool calls

  • Damage to system configuration

  1. Attack Surface
  • Malicious repository content

  • Compromised npm or pip dependencies

  • Prompt injection via documentation, READMEs, web pages, or MCP tool outputs

  1. Blast Radius
  • Full access to user-accessible files

  • Network access for data transmission

  • Process manipulation capabilities[1]

Mitigation Strategies

  1. Container Isolation (Strongly Recommended)
docker run -it --rm \
  -v "$(pwd):/workspace" \
  --network none \
  --read-only \
  claude-container
  1. Backup Systems
  • Hourly snapshots (Arq, Time Machine, ZFS snapshots)

  • Git commit before sessions

  • Cloud backup synchronization

  1. Network Restrictions
  • Firewall rules limiting outbound traffic to a domain allowlist

  • DNS filtering for known threats

  • Outbound proxy with logging

  1. Hooks for Defense in Depth
{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [{ "type": "command", "command": "/usr/local/bin/cmd-guard.sh" }]
      }
    ]
  }
}

A PreToolUse hook can block dangerous commands such as rm -rf or sudo even when bypass mode is active.[18]

What are the best practices for using it?

For Individual Developers

  1. Start Conservative
  • Use default or acceptEdits for routine work

  • Try auto mode before reaching for bypass

  • Reserve bypass mode for tasks running inside a sandbox

  1. Implement Safeguards
  • Maintain comprehensive backups

  • Commit before each agentic session

  • Work in disposable environments (containers, VMs, ephemeral cloud)

  1. Monitor Activity
  • Enable verbose logging with --verbose

  • Review the session transcript before leaving the machine unattended

  • Audit file modifications via git diff

For Teams and Organizations

  1. Policy Development
  • Establish clear usage guidelines

  • Mandate containerization or sandboxing requirements

  • Define acceptable use cases (CI, devcontainers, dedicated VMs)

  1. Infrastructure Support
  • Provide secure container environments by default

  • Implement centralized logging of CLI sessions

  • Offer backup automation for developer machines

  1. Training and Education
  • Security awareness covering prompt injection

  • Best practices documentation

  • Incident response procedures

  1. Managed Settings
  • Set permissions.disableBypassPermissionsMode to "disable" to forbid the mode entirely

  • Use autoMode.environment to declare trusted internal infrastructure for auto mode

  • Enforce defaultMode per-team via managed settings[2]

Community-Developed Solutions

ProjectTypeWhat it provides
claude-code-yoloDocker wrapperFull containerization with credential passthrough[19]
claude-dockerDocker templateDevelopment environment isolation
claude-sandboxmacOS sandbox-exec wrapperRestricts filesystem reach
sandvaultmacOS user + sandbox-execRuns multiple agents (Claude, Codex, Cursor, Gemini) safely
Custom hooksShell scriptsPreToolUse blocks for dangerous commands

Permission Management Flags

# Selective permission bypass
--allowedTools "Edit,Write,Bash(git:*)"

# Explicit tool blocking
--disallowedTools "Bash(rm:*),Bash(curl:*)"

# Choose a permission mode
--permission-mode default|acceptEdits|plan|auto|dontAsk|bypassPermissions

# Add bypass to the cycle without entering it
--allow-dangerously-skip-permissions

# Debug MCP permissions
--mcp-debug

Workflow Enhancement Flags

# Headless automation
-p, --print "prompt"

# Output formatting
--output-format json
--input-format stream-json

# Context management
--continue
--resume <session-id>
--add-dir <path>

Configuration Commands

# View current permissions
claude config get allowedTools

# Manage MCP servers
claude mcp list
claude mcp add <name> <command>

# Inspect auto mode defaults
claude auto-mode defaults

Conclusion

The --dangerously-skip-permissions flag remains a powerful but high-risk feature in Claude Code. It exists because there are legitimate scenarios, such as ephemeral CI runners, devcontainers, and disposable VMs, where the prompt-by-prompt approval flow is impractical. Outside those scenarios, both Anthropic's documentation and the community's incident record point to the same conclusion: do not run the flag on a host machine.

Since 2025 the practical answer for most users has shifted. Sandboxed Bash gives a host-friendly safety boundary at the OS level, while auto mode gives an interactive workflow with classifier-based oversight that catches the actions most likely to cause harm. For developers who still need full bypass, the official devcontainer with the published firewall remains the safest officially supported path.

The patterns that grew up around this flag, balancing automation with safety, layered sandboxes, hook-based deny lists, and graduated trust models, will continue to shape how agentic AI tools are deployed.

See Also

References

  1. Anthropic. "Security." Claude Code documentation. `code.claude.com/docs/en/security`
  2. Anthropic. "Choose a permission mode." Claude Code documentation. `code.claude.com/docs/en/permission-modes`
  3. Anthropic. "Configure the sandboxed Bash tool." Claude Code documentation. `code.claude.com/docs/en/sandboxing`
  4. Anthropic Engineering. "How we built Claude Code auto mode: a safer way to skip permissions." March 25, 2026. `anthropic.com/engineering/claude-code-auto-mode`
  5. Anthropic. "CLI reference." Claude Code documentation. `code.claude.com/docs/en/cli-reference`
  6. Anthropic. "Configure the sandboxed Bash tool" (comparison table: `--dangerously-skip-permissions` replaces the prompt with "Nothing"). `code.claude.com/docs/en/sandboxing`
  7. ClaudeLog. "Dangerous Skip Permissions." `claudelog.com/mechanics/dangerous-skip-permissions`
  8. Anthropic best-practices guidance on parallel agent loops and non-interactive fan-out. `code.claude.com/docs/en/best-practices`
  9. Anthropic. "Configure the sandboxed Bash tool" (root/sudo refusal troubleshooting entry). `code.claude.com/docs/en/sandboxing`
  10. Anthropic. "Best practices for Claude Code." Claude Code documentation. `code.claude.com/docs/en/best-practices`
  11. Kohki Makimoto. "claude-sandbox: Yet another sandboxing tool for Claude Code on macOS." `dev.to/kohkimakimoto`
  12. Community-reported incident, October 2025; summarized in `thomas-wiegold.com/blog/claude-code-dangerously-skip-permissions`
  13. Oasis Security. "Claude.ai Prompt Injection Vulnerability ('Claudy Day')." `oasis.security/blog/claude-ai-prompt-injection-data-exfiltration-vulnerability`
  14. PromptArmor. "Claude Cowork Exfiltrates Files." `promptarmor.com/resources/claude-cowork-exfiltrates-files`
  15. TrueFoundry. "Prompt Injection and AI Agent Security Risks: A Claude Code Guide for Enterprise Teams." `truefoundry.com/blog/claude-code-prompt-injection`
  16. Anthropic. "Permissions." Claude Code documentation. `code.claude.com/docs/en/permissions`
  17. Anthropic. "Development containers." Claude Code documentation. `code.claude.com/docs/en/devcontainer`
  18. Anthropic. "Hooks." Claude Code documentation. `code.claude.com/docs/en/hooks`
  19. Community project `claude-code-yolo` on GitHub; see also `github.com/webcoyote/sandvault` for related multi-agent sandboxing.

Improve this article

Add missing citations, update stale details, or suggest a clearer explanation. Every suggestion is reviewed for sourcing before it goes live.

3 revisions by 1 contributors · full history

Suggest edit