Claude --dangerously-skip-permissions
Last reviewed
Sources
19 citations
Review status
Source-backed
Revision
v4 ยท 4,505 words
Improve this article
Add missing citations, update stale details, or suggest a clearer explanation.
Suggest edit
CtrlK
Last reviewed
Sources
19 citations
Review status
Source-backed
Revision
v4 ยท 4,505 words
Add missing citations, update stale details, or suggest a clearer explanation.
See also: Claude, Claude Code, Anthropic
claude --dangerously-skip-permissions is a command-line flag for Claude Code, Anthropic's terminal-based AI agent for coding, that turns off Claude Code's per-action permission prompts so the agent can edit files and run shell commands without pausing to ask the user for approval.[1][2] It is equivalent to launching Claude Code in the bypassPermissions permission mode, is widely nicknamed "YOLO mode" in the developer community, and according to Anthropic's official documentation should "only [be used] in isolated environments like containers, VMs, or dev containers without internet access, where Claude Code cannot damage your host system."[2] Even with the flag active, two safeguards remain: explicit ask rules still force a prompt, and removals that target the filesystem root or your home directory (rm -rf /, rm -rf ~) still prompt as a circuit breaker against model error.[2] Anthropic warns that bypass mode "offers no protection against prompt injection or unintended actions," and since 2025 has shipped two safer paths (sandboxed Bash in October 2025 and auto mode in March 2026) that it now recommends for most workflows.[2][3][4]
The --dangerously-skip-permissions flag disables Claude Code's permission checks, so tool calls execute immediately without an approval prompt.[2] In normal operation, "When Claude wants to edit a file, run a shell command, or make a network request, it pauses and asks you to approve the action."[2] The flag removes that pause, granting effectively unrestricted access to:
File System Operations: Read, write, edit, and delete files without approval
Shell Command Execution: Run any bash commands without confirmation
Network Operations: Fetch web content and make network requests freely
Process Control: Start, stop, and manipulate system processes
Tool Usage: Execute all available tools without permission checks[5]
In Anthropic's own comparison of how the three "fewer prompts" features replace the per-action prompt, the entry for --dangerously-skip-permissions is blunt: what replaces the prompt is "Nothing."[6]
When active, Claude Code displays a status bar warning:
WARNING: Claude Code running in Bypass Permissions mode
The CLI also shows a one-time confirmation prompt the first time the flag is used in a session, requiring the user to acknowledge the risk before commands execute. The prompt explicitly states that Anthropic does not recommend running the flag on a host machine and links to the security documentation.[1]
The flag is functionally identical to launching Claude Code with --permission-mode bypassPermissions or setting "defaultMode": "bypassPermissions" in settings.json. As the official permission-modes reference states plainly, "The --dangerously-skip-permissions flag is equivalent" to starting with --permission-mode bypassPermissions.[2] All three entry points activate the same internal mode, which "disables permission prompts and safety checks so tool calls execute immediately."[2]
What still prompts in bypass mode is a deliberately small set of guardrails:[2]
| Guardrail still active in bypass mode | What it does |
|---|---|
Explicit ask rules | Any tool matching an ask rule in settings.json still forces a prompt |
| Root-or-home-directory removal circuit breaker | rm -rf / and rm -rf ~ still prompt as a safety net against model error |
| Root/sudo refusal (Linux and macOS) | Claude Code refuses to start in this mode when run as root or under sudo |
Note on protected paths: in every other mode (default, acceptEdits, plan), writes to a set of protected paths such as .git, .claude, .bashrc, .zshrc, and .mcp.json are never auto-approved. As of Claude Code v2.1.126, bypassPermissions is the one exception: protected-path writes ARE allowed in bypass mode, where earlier versions still prompted for them.[2] This is part of why Anthropic restricts the mode to disposable environments.
According to Anthropic's documentation, this flag is intended only for "isolated environments like containers, VMs, or dev containers without internet access, where Claude Code cannot damage your host system."[2] Typical sanctioned use cases include:
Automated Workflows: Unattended code generation and modification
CI/CD Integration: Headless operation in build pipelines
Batch Processing: Large-scale automated refactoring
Testing Automation: Continuous test generation and execution
Developers have expanded usage beyond official recommendations for:[7]
Productivity Enhancement: Eliminating "permission fatigue" from constant approval prompts
Complex Multi-Step Operations: Enabling Claude to complete lengthy tasks without interruption
Development Workflow Transformation: Shifting from IDE-centric to AI-first development patterns
Parallel Agent Loops: Running many Claude Code instances in a bash while-loop, a pattern popularized by Anthropic researchers (with the explicit caveat to run inside a container, not on a host)[8]
A hard guardrail that surprises many first-time users: on Linux and macOS, Claude Code refuses to launch with --dangerously-skip-permissions when running as root or via sudo, printing:
--dangerously-skip-permissions cannot be used with root/sudo privileges for security reasons
Anthropic's documentation explains the rationale: "this flag is blocked when running as root or via sudo on Linux and macOS, because root access combined with no permission prompts can modify any file or service on the system. The check is skipped automatically inside a recognized sandbox. To run autonomously in a container, use the dev container configuration, which runs Claude Code as a non-root user."[9] This is precisely why the official devcontainer runs the agent as a non-root user.
# Basic usage
claude --dangerously-skip-permissions
# With additional options
claude --dangerously-skip-permissions --model sonnet --verbose
# Headless mode for automation
claude -p "fix all lint errors" --dangerously-skip-permissions --output-format json
# Equivalent permission-mode invocation
claude --permission-mode bypassPermissions
# Add the mode to the Shift+Tab cycle without activating it
claude --allow-dangerously-skip-permissions
The --allow-dangerously-skip-permissions variant lets the user opt in to having bypass mode appear in the Shift+Tab cycle while starting the session in a safer mode. Per the official docs, bypassPermissions "appears after you start with --permission-mode bypassPermissions, --dangerously-skip-permissions, or --allow-dangerously-skip-permissions; the --allow- variant adds the mode to the cycle without activating it."[2] This makes it easy to switch into bypass mode for a specific risky operation without committing the entire session to it.
Fixing lint errors across entire codebases
Updating dependencies and resolving conflicts
Refactoring legacy code patterns
Creating boilerplate code and project scaffolding
Generating comprehensive test suites
Writing documentation and API specifications
Automating development environment setup
Managing dotfiles and configurations
Performing bulk file operations
Automated PR reviews and labeling
Pre-commit hook execution
Build script optimization[10]
Running Claude Code inside ephemeral Linux runners that are destroyed after each job
Combining with the Anthropic-published GitHub Action for issue triage and PR review
Many developers create aliases for convenience:[7]
alias cc="claude --dangerously-skip-permissions"
alias claude-yolo="claude --dangerously-skip-permissions"
While these aliases are popular, they remove the friction that protects against accidental use on the host machine. Several community write-ups recommend instead aliasing the flag to a sandbox wrapper such as claude-sandbox or a Docker invocation, so that the alias still requires the user to be inside a disposable environment before commands run.[11]
Short answer: only inside a disposable, isolated environment, never on a machine that holds data you care about. Anthropic's documentation and a growing record of community incidents point to the same conclusion. The flag removes the human checkpoint that normally catches a destructive command or a prompt injection payload before it runs.
Data Loss: Potential for irreversible file deletion or corruption
System Compromise: Unrestricted command execution can damage system integrity
Data Exfiltration: Vulnerability to prompt injection attacks that steal sensitive data
Malware Installation: Possibility of downloading and executing malicious code
Credential Exposure: Risk of exposing API keys, passwords, and secrets[1]
A record of community-reported incidents illustrates the concrete failure modes of running an agentic CLI without per-action review (whether via bypass mode or a similarly loose configuration):
| Date | Incident | Outcome |
|---|---|---|
| October 2025 | A user reported Claude Code issuing a recursive delete that wiped user-owned files; thousands of "permission denied" errors protected system files but every user-writable file was destroyed.[12] | Loss of user data on the machine |
| December 2025 | A user asked Claude Code to "clean up packages." The model generated rm -rf tests/ patches/ plan/ ~/. The trailing ~/ expanded to the entire home directory. | Loss of desktop files, Keychain, and application data |
| March 2026 | Oasis Security disclosed the "Claudy Day" trio of vulnerabilities affecting Claude.ai. Hidden HTML in claude.ai/new?q=... URLs could inject prompts that exfiltrated chat history to an attacker-controlled Anthropic account via the Files API.[13] | Silent data exfiltration |
| 2026 | PromptArmor demonstrated file exfiltration in Claude Cowork via indirect prompt injection, using a curl command to upload files to the attacker's Anthropic account.[14] | File leak via attacker API key |
These incidents share a common thread: the human checkpoint that would have caught the malicious instruction or destructive command before it ran was absent. (Note that current versions of Claude Code add a circuit breaker that prompts even in bypass mode for rm -rf / and rm -rf ~, and refuse to start in bypass mode as root, mitigating some, though not all, of these exact failure modes.)[2][9]
Anthropic's documentation is explicit. The permission-modes reference states:
"
bypassPermissionsoffers no protection against prompt injection or unintended actions. For background safety checks with far fewer permission prompts, use auto mode instead."[2]
And the security documentation warns:
"Letting Claude run arbitrary commands is risky and can result in data loss, system corruption, or even data exfiltration (for example via prompt injection attacks)."[1]
More broadly, Anthropic notes that "While these protections significantly reduce risk, no system is completely immune to all attacks. Always maintain good security practices when working with any AI tool."[1]
Prompt injection: Malicious instructions hidden in files, web pages, READMEs, issue comments, or fetched dependencies
Command Chaining: Complex attack sequences that bypass simple deny rules
Persistence Mechanisms: Installation of backdoors, cron jobs, or shell hooks
Privilege Escalation: Inheriting elevated permissions when the agent is mis-run with high privilege
Credential Theft via Network Egress: Reading .env, ~/.aws/credentials, or SSH keys and POSTing them to a remote endpoint[15]
Claude Code uses a configurable permission system that is completely bypassed when using this flag. The full set of permission modes available as of 2026 is summarized below:[2]
| Mode | What runs without prompting | Best for |
|---|---|---|
default | Reads only | Getting started, sensitive work |
acceptEdits | Reads, file edits, and common filesystem commands (mkdir, touch, rm, mv, cp, sed) | Iterating on code you review afterward |
plan | Reads only, no edits | Exploring a codebase before changing it |
auto | Everything, with background safety checks (classifier) | Long autonomous tasks, reducing prompt fatigue |
dontAsk | Only pre-approved tools, no prompts | Locked-down CI pipelines |
bypassPermissions | Everything (except the circuit-breaker cases above) | Isolated containers and VMs only |
Cycling through modes during a session is done with Shift+Tab, which by default cycles default then acceptEdits then plan. The bypassPermissions and auto modes only appear in the cycle if the relevant enabling flag is passed at startup; with both enabled, bypassPermissions slots in first and auto last.[2]
In every mode, allow, ask, and deny rules can be layered on top via settings.json. As the docs note, "Deny rules and explicit ask rules apply in every mode, including bypassPermissions. Allow rules have no effect in that mode because everything else is already approved."[2]
{
"permissions": {
"defaultMode": "default",
"allow": ["Bash(npm run *)", "Bash(git status)"],
"deny": ["Bash(rm *)", "Bash(curl *)"],
"ask": ["Bash(git push *)"]
}
}
This is an important nuance: a deny or ask rule written in settings.json IS still enforced in bypassPermissions mode (contrary to a common misconception), while allow rules are simply redundant there. Administrators who want to prevent the mode from being used at all can set permissions.disableBypassPermissionsMode to "disable" in managed settings.[2]
Affected Tools: Edit, Write, Bash, WebFetch, WebSearch, Model Context Protocol (MCP) servers, sub-agents
Scope: All operations execute without approval prompts, except the circuit-breaker cases (root/home removals, explicit ask rules)
Persistence: Flag must be specified each session, or defaultMode set in settings.json
Configuration: Cannot be entered from a session that was started without one of the enabling flags; you must restart with the flag.[2]
Works with Claude Code's ecosystem:
MCP Servers: All MCP tools execute without permission
Slash Commands: Custom commands run unrestricted
Hooks: PreToolUse and PermissionRequest hooks still fire and remain the primary mechanism for adding custom safety logic
Headless Mode: Combines with -p for full automation
Sub-agents: A sub-agent spawned in bypass mode also runs unrestricted[5]
Anthropic has invested heavily in alternatives that capture most of the workflow benefit of bypass mode without removing the safety net.
The /sandbox feature uses operating-system primitives to confine Claude Code's shell tool. As the docs describe it, "The Bash sandbox lets Claude run most shell commands without stopping to ask permission. Instead of approving each command, you define which files and network domains commands can touch, and the operating system enforces that boundary for every Bash command and its child processes."[3]
| Platform | Underlying technology | What it isolates |
|---|---|---|
| macOS | Seatbelt (sandbox-exec) | Filesystem outside the working directory, network |
| Linux | bubblewrap (+ socat) | Filesystem outside the working directory, network |
| WSL2 | bubblewrap | Same as Linux (WSL1 and native Windows unsupported) |
Inside the sandbox, the shell tool can write only to the working directory and the session temp directory by default, and network access is brokered through a proxy that enforces a domain allowlist (no domains are pre-allowed). Anthropic published the underlying runtime as the open-source @anthropic-ai/sandbox-runtime package so other agent frameworks can adopt it. The docs caution that the sandbox "reduces risk but is not a complete isolation boundary," because the proxy does not perform TLS inspection.[3]
Auto mode was announced on March 25, 2026, requires Claude Code v2.1.83 or later, and is positioned as the recommended replacement for --dangerously-skip-permissions for most workflows.[4] Anthropic describes it as "a new mode for Claude Code that delegates approvals to model-based classifiers, a middle ground between manual review and no guardrails."[4] The design choice was data-driven: "Claude Code users approve 93% of permission prompts," so a classifier can automate most of those decisions while still catching the rare dangerous one.[4]
It uses a two-layered defense:
Anthropic reported the final pipeline achieved a 0.4% false-positive rate and a 17% false-negative rate on a set of real overeager actions (n=52).[4] The classifier blocks high-risk actions by default, including:[2]
curl | bash)maingit reset --hard, git clean -fd, git stash drop) and infrastructure teardown (terraform destroy, pulumi destroy, cdk destroy)Per the live documentation, auto mode is available on all plans, but on Team and Enterprise an Owner must enable it first. On the Anthropic API it requires Claude Opus 4.6 or later, or Sonnet 4.6; on Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry only Opus 4.7 and Opus 4.8 are supported (and the CLAUDE_CODE_ENABLE_AUTO_MODE variable must be set). Auto mode is labelled a research preview that "reduces permission prompts but does not guarantee safety."[2]
| Concern | --dangerously-skip-permissions | auto mode | Sandboxed Bash |
|---|---|---|---|
| Prompts the user | Only for circuit-breaker cases (root/home removal, ask rules) | Never (with classifier oversight) | Only for actions outside the sandbox boundary |
| Protects against prompt injection | No | Partial (classifier and probe) | Partial (filesystem and network confined) |
| Requires specific plan | No | All plans (Owner-enabled on Team/Enterprise) | No |
| Recommended for host machine | No | Yes | Yes |
| Adds latency | None | Classifier round-trip | Minimal |
| Available since | Original release | March 2026 | October 2025 |
Permission Modes Reference: code.claude.com/docs/en/permission-modes[2]
Permissions Configuration: code.claude.com/docs/en/permissions[16]
Sandboxing Documentation: code.claude.com/docs/en/sandboxing[3]
Auto Mode Engineering Blog: anthropic.com/engineering/claude-code-auto-mode[4]
Security Documentation: code.claude.com/docs/en/security[1]
Best Practices Guide: code.claude.com/docs/en/best-practices[10]
Devcontainer Reference: code.claude.com/docs/en/devcontainer[17]
Anthropic strongly recommends:
Using only in Docker containers, VMs, or devcontainers without unrestricted internet access
Implementing the official devcontainer reference configuration for unattended runs
Preferring auto mode for interactive workflows that need fewer prompts
Using sandboxed Bash on the host when full isolation is impractical
Maintaining comprehensive backup strategies regardless of mode
Layering granular allow/deny rules in settings.json rather than relying on bypass mode
Anthropic publishes an official devcontainer setup at github.com/anthropics/claude-code/.devcontainer. It includes three components:[17]
| File | Purpose |
|---|---|
devcontainer.json | Container settings, extensions, volume mounts |
Dockerfile | Image definition (Node.js 20, ZSH, fzf, git, gh) |
init-firewall.sh | iptables rules and ipset of allowed domains |
The firewall enforces a default-deny outbound policy and only resolves a small allowlist of domains: registry.npmjs.org, api.anthropic.com, statsig.com, plus dynamic GitHub IP ranges fetched from the GitHub /meta API. DNS and SSH are allowed; everything else is blocked. Critically, the devcontainer runs Claude Code as a non-root user, which is what allows --dangerously-skip-permissions to run inside it despite the root/sudo refusal.[9][17]
Anthropic notes that even with the devcontainer, a malicious project can still exfiltrate anything reachable inside the container, including Claude Code credentials. The recommendation is to use devcontainers only with trusted repositories.[17]
For users running Claude Code outside the official devcontainer, several community and OS-level tools provide isolation:
| Tool | Platform | Mechanism | Notes |
|---|---|---|---|
| Anthropic devcontainer | Cross-platform (Docker) | Docker + iptables firewall | Official, recommended for VS Code workflows |
Claude Code /sandbox | macOS, Linux, WSL2 | Seatbelt or bubblewrap | Built-in since October 2025 |
claude-sandbox (kohkimakimoto) | macOS | sandbox-exec profile | Restricts filesystem to working dir |
claude-code-sandbox (neko-kai) | macOS | sandbox-exec profile | Read-restriction focus |
sandvault (webcoyote) | macOS | Dedicated user account + sandbox-exec | Works for Claude Code, Codex, Cursor, Gemini |
| Apple Containerization | macOS | Lightweight VM | Released 2025, suited for stronger isolation |
| Firecracker microVMs | Linux | KVM microVMs | Used by some CI providers for ephemeral runs |
| GitHub Codespaces | Cloud | Container in cloud VM | Disposable by design |
Each of these reduces but does not eliminate the risks of bypass mode. None of them stop a malicious instruction from misusing tools that the sandbox legitimately permits, which is why Anthropic positions auto mode as a complementary defense.
Claude Code is Anthropic's terminal-based AI coding assistant that:
Provides CLI-first development workflows
Integrates with VS Code, Cursor, and JetBrains IDEs
Supports Model Context Protocol (MCP) for extensibility
Offers sophisticated context management
Supports headless and remote-control modes for cloud and CI use
| Tool | Equivalent flag or mode | Comparison |
|---|---|---|
| Cursor | "YOLO mode" toggle | Similar full-bypass behavior, fewer granular controls |
| GitHub Copilot Workspace | N/A (inline suggestions) | No autonomous shell execution |
| OpenAI Codex CLI | --auto-edit, --full-auto | Comparable risk profile in full-auto |
| Aider | --yes-always | Skips confirmations for edits and commands |
# Granular permissions (recommended for trusted workflows)
claude --allowedTools "Edit,Bash(git:*),Read"
# Plan first, then approve
claude --permission-mode plan
# Auto mode with classifier oversight (recommended replacement)
claude --permission-mode auto
# Locked-down CI
claude --permission-mode dontAsk -p "run lints"
Accidental data destruction by unconstrained shell commands
Exposure of sensitive information through tool calls
Damage to system configuration
Malicious repository content
Compromised npm or pip dependencies
Prompt injection via documentation, READMEs, web pages, or MCP tool outputs
Full access to user-accessible files
Network access for data transmission
Process manipulation capabilities[1]
docker run -it --rm \
-v "$(pwd):/workspace" \
--network none \
--read-only \
claude-container
Hourly snapshots (Arq, Time Machine, ZFS snapshots)
Git commit before sessions
Cloud backup synchronization
Firewall rules limiting outbound traffic to a domain allowlist
DNS filtering for known threats
Outbound proxy with logging
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [{ "type": "command", "command": "/usr/local/bin/cmd-guard.sh" }]
}
]
}
}
A PreToolUse hook can block dangerous commands such as rm -rf or sudo even when bypass mode is active.[18]
Use default or acceptEdits for routine work
Try auto mode before reaching for bypass
Reserve bypass mode for tasks running inside a sandbox
Maintain comprehensive backups
Commit before each agentic session
Work in disposable environments (containers, VMs, ephemeral cloud)
Enable verbose logging with --verbose
Review the session transcript before leaving the machine unattended
Audit file modifications via git diff
Establish clear usage guidelines
Mandate containerization or sandboxing requirements
Define acceptable use cases (CI, devcontainers, dedicated VMs)
Provide secure container environments by default
Implement centralized logging of CLI sessions
Offer backup automation for developer machines
Security awareness covering prompt injection
Best practices documentation
Incident response procedures
Set permissions.disableBypassPermissionsMode to "disable" to forbid the mode entirely
Use autoMode.environment to declare trusted internal infrastructure for auto mode
Enforce defaultMode per-team via managed settings[2]
| Project | Type | What it provides |
|---|---|---|
claude-code-yolo | Docker wrapper | Full containerization with credential passthrough[19] |
claude-docker | Docker template | Development environment isolation |
claude-sandbox | macOS sandbox-exec wrapper | Restricts filesystem reach |
sandvault | macOS user + sandbox-exec | Runs multiple agents (Claude, Codex, Cursor, Gemini) safely |
| Custom hooks | Shell scripts | PreToolUse blocks for dangerous commands |
# Selective permission bypass
--allowedTools "Edit,Write,Bash(git:*)"
# Explicit tool blocking
--disallowedTools "Bash(rm:*),Bash(curl:*)"
# Choose a permission mode
--permission-mode default|acceptEdits|plan|auto|dontAsk|bypassPermissions
# Add bypass to the cycle without entering it
--allow-dangerously-skip-permissions
# Debug MCP permissions
--mcp-debug
# Headless automation
-p, --print "prompt"
# Output formatting
--output-format json
--input-format stream-json
# Context management
--continue
--resume <session-id>
--add-dir <path>
# View current permissions
claude config get allowedTools
# Manage MCP servers
claude mcp list
claude mcp add <name> <command>
# Inspect auto mode defaults
claude auto-mode defaults
The --dangerously-skip-permissions flag remains a powerful but high-risk feature in Claude Code. It exists because there are legitimate scenarios, such as ephemeral CI runners, devcontainers, and disposable VMs, where the prompt-by-prompt approval flow is impractical. Outside those scenarios, both Anthropic's documentation and the community's incident record point to the same conclusion: do not run the flag on a host machine.
Since 2025 the practical answer for most users has shifted. Sandboxed Bash gives a host-friendly safety boundary at the OS level, while auto mode gives an interactive workflow with classifier-based oversight that catches the actions most likely to cause harm. For developers who still need full bypass, the official devcontainer with the published firewall remains the safest officially supported path.
The patterns that grew up around this flag, balancing automation with safety, layered sandboxes, hook-based deny lists, and graduated trust models, will continue to shape how agentic AI tools are deployed.