Last reviewed
Apr 26, 2026
Sources
17 citations
Review status
Source-backed
Revision
v3 ยท 3,618 words
Add missing citations, update stale details, or suggest a clearer explanation.
See also: Claude, Claude Code, Anthropic
The claude --dangerously-skip-permissions flag is an officially documented command-line option for Claude Code, Anthropic's terminal-based AI coding assistant.[1] This flag bypasses all permission prompts, allowing Claude Code to execute commands and modify files without user approval. It is equivalent to entering Claude Code's bypassPermissions permission mode and is sometimes referred to in the developer community as "YOLO mode."[2] While Anthropic designed the flag for containerized environments without internet access, it became widely adopted by developers seeking uninterrupted AI-assisted coding workflows. Since the introduction of Claude Code sandboxing in October 2025 and the release of auto mode in March 2026, Anthropic has officially recommended safer alternatives for most use cases.[3][4]
The --dangerously-skip-permissions flag completely disables Claude Code's permission system, granting unrestricted access to:
File System Operations: Read, write, edit, and delete files without approval
Shell Command Execution: Run any bash commands without confirmation
Network Operations: Fetch web content and make network requests freely
Process Control: Start, stop, and manipulate system processes
Tool Usage: Execute all available tools without permission checks[5]
When active, Claude Code displays a status bar warning:
WARNING: Claude Code running in Bypass Permissions mode
The CLI also shows a one-time confirmation prompt the first time the flag is used in a session, requiring the user to acknowledge the risk before commands execute. The prompt explicitly states that Anthropic does not recommend running the flag on a host machine and links to the security documentation.[1]
The flag is functionally identical to launching Claude Code with --permission-mode bypassPermissions or setting "defaultMode": "bypassPermissions" in settings.json. All three entry points activate the same internal mode. The mode disables every permission check except writes to a small set of protected paths.[2]
Protected paths that still prompt even in bypass mode include:
| Type | Path | Purpose |
|---|---|---|
| Directory | .git | Repository state |
| Directory | .vscode, .idea | Editor configuration |
| Directory | .husky | Git hooks |
| Directory | .claude (except commands, agents, skills, worktrees) | Claude Code config |
| File | .gitconfig, .gitmodules | Git settings |
| File | .bashrc, .zshrc, .profile | Shell startup |
| File | .mcp.json, .claude.json | MCP and Claude config |
These paths are guarded in every mode and are never auto-approved.[2]
According to Anthropic's documentation, this flag is intended only for "isolated environments like containers, VMs, or devcontainers without internet access, where Claude Code cannot damage your host system."[2] Typical sanctioned use cases include:
Automated Workflows: Unattended code generation and modification
CI/CD Integration: Headless operation in build pipelines
Batch Processing: Large-scale automated refactoring
Testing Automation: Continuous test generation and execution
Developers have expanded usage beyond official recommendations for:[6]
Productivity Enhancement: Eliminating "permission fatigue" from constant approval prompts
Complex Multi-Step Operations: Enabling Claude to complete lengthy tasks without interruption
Development Workflow Transformation: Shifting from IDE-centric to AI-first development patterns
Parallel Agent Loops: Running many Claude Code instances in a bash while-loop, a pattern popularized by Anthropic researchers (with the explicit caveat to run inside a container, not on a host)[7]
# Basic usage
claude --dangerously-skip-permissions
# With additional options
claude --dangerously-skip-permissions --model sonnet --verbose
# Headless mode for automation
claude -p "fix all lint errors" --dangerously-skip-permissions --output-format json
# Equivalent permission-mode invocation
claude --permission-mode bypassPermissions
# Add the mode to the Shift+Tab cycle without activating it
claude --allow-dangerously-skip-permissions
The --allow-dangerously-skip-permissions variant introduced alongside the v2.1 permission-mode rework lets the user opt in to having bypass mode appear in the Shift+Tab cycle while starting the session in a safer mode. This makes it easier to switch into bypass mode for a specific risky operation without committing the entire session to it.[2]
Fixing lint errors across entire codebases
Updating dependencies and resolving conflicts
Refactoring legacy code patterns
Creating boilerplate code and project scaffolding
Generating comprehensive test suites
Writing documentation and API specifications
Automating development environment setup
Managing dotfiles and configurations
Performing bulk file operations
Automated PR reviews and labeling
Pre-commit hook execution
Build script optimization[8]
Running Claude Code inside ephemeral Linux runners that are destroyed after each job
Combining with the Anthropic-published GitHub Action for issue triage and PR review
Many developers create aliases for convenience:[6]
alias cc="claude --dangerously-skip-permissions"
alias claude-yolo="claude --dangerously-skip-permissions"
While these aliases are popular, they remove the friction that protects against accidental use on the host machine. Several community write-ups recommend instead aliasing the flag to a sandbox wrapper such as claude-sandbox or a Docker invocation, so that the alias still requires the user to be inside a disposable environment before commands run.[9]
Data Loss: Potential for irreversible file deletion or corruption
System Compromise: Unrestricted command execution can damage system integrity
Data Exfiltration: Vulnerability to prompt injection attacks that steal sensitive data
Malware Installation: Possibility of downloading and executing malicious code
Credential Exposure: Risk of exposing API keys, passwords, and secrets[1]
A growing record of community-reported incidents illustrates the concrete failure modes of running the flag on a host machine:
| Date | Incident | Outcome |
|---|---|---|
| October 2025 | A user reported Claude Code executing rm -rf / from a root shell. Thousands of "permission denied" errors protected system files but every user-owned file was destroyed.[10] | Loss of all user data on the machine |
| December 2025 | A user asked Claude Code to "clean up packages." The model generated rm -rf tests/ patches/ plan/ ~/. The trailing ~/ expanded to the entire home directory. | Loss of desktop files, Keychain, and application data |
| March 2026 | Oasis Security disclosed the "Claudy Day" trio of vulnerabilities affecting Claude.ai. Hidden HTML in claude.ai/new?q=... URLs could inject prompts that exfiltrated chat history to an attacker-controlled Anthropic account via the Files API.[11] | Silent data exfiltration |
| 2026 | PromptArmor demonstrated file exfiltration in Claude Cowork via indirect prompt injection, using a curl command to upload files to the attacker's Anthropic account.[12] | File leak via attacker API key |
These incidents share a common thread: bypass mode (or an equivalent loosely-permissioned environment) removed the human checkpoint that would have caught the malicious instruction or destructive command before it ran.
Anthropic's documentation explicitly states:
"bypassPermissions offers no protection against prompt injection or unintended actions. For background safety checks without prompts, use auto mode instead."[2]
"Letting Claude run arbitrary commands is risky and can result in data loss, system corruption, or even data exfiltration (for example via prompt injection attacks)."[1]
Prompt injection: Malicious instructions hidden in files, web pages, READMEs, issue comments, or fetched dependencies
Command Chaining: Complex attack sequences that bypass simple deny rules
Persistence Mechanisms: Installation of backdoors, cron jobs, or shell hooks
Privilege Escalation: Inheriting elevated permissions when run as root
Credential Theft via Network Egress: Reading .env, ~/.aws/credentials, or SSH keys and POSTing them to a remote endpoint[13]
Claude Code uses a configurable permission system that is completely bypassed when using this flag. The full set of permission modes available as of 2026 is summarized below:[2]
| Mode | What runs without prompting | Best for |
|---|---|---|
default | Reads only | Sensitive work, getting started |
acceptEdits | Reads, edits, common filesystem commands (mkdir, touch, mv, cp, sed) | Iterating on code you review afterward |
plan | Reads only, no edits | Exploring a codebase before changing it |
auto | Everything, screened by a classifier model | Long autonomous tasks |
dontAsk | Only pre-approved tools, no prompts | Locked-down CI pipelines |
bypassPermissions | Everything except protected paths | Isolated containers and VMs only |
Cycling through modes during a session is done with Shift+Tab. The bypassPermissions and auto modes only appear in the cycle if the relevant enabling flag is passed at startup.[2]
In every mode except bypassPermissions, additional allow, ask, and deny rules can be layered on top via settings.json:
{
"permissions": {
"defaultMode": "default",
"allow": ["Bash(npm run *)", "Bash(git status)"],
"deny": ["Bash(rm *)", "Bash(curl *)"],
"ask": ["Bash(git push *)"]
}
}
The bypassPermissions mode skips the permission rule layer entirely, which means even deny rules written in settings.json are not enforced when the flag is active. Administrators who want to prevent the mode from being used at all can set permissions.disableBypassPermissionsMode to "disable" in managed settings.[2]
Affected Tools: Edit, Write, Bash, WebFetch, WebSearch, MCP servers, sub-agents
Scope: All operations execute without approval prompts, except writes to protected paths
Persistence: Flag must be specified each session, or defaultMode set in settings.json
Configuration: Cannot be permanently set per-project for safety; must be explicitly opted into[14]
Works with Claude Code's ecosystem:
Slash Commands: Custom commands run unrestricted
Hooks: PreToolUse and PostToolUse hooks still fire and remain the primary mechanism for adding custom safety logic
Headless Mode: Combines with -p for full automation
Sub-agents: Inherited permission state means a sub-agent spawned in bypass mode also runs unrestricted[5]
Anthropic has invested heavily in alternatives that capture most of the workflow benefit of bypass mode without removing the safety net.
The /sandbox feature, announced October 20, 2025, uses operating-system primitives to confine Claude Code's shell tool. It reduced permission prompts by 84% in Anthropic's internal usage.[3]
| Platform | Underlying technology | What it isolates |
|---|---|---|
| macOS | Seatbelt (sandbox-exec) | Filesystem outside the working directory, network |
| Linux | bubblewrap | Filesystem outside the working directory, network |
Inside the sandbox, the shell tool is restricted to read/write within the current working directory, and network access is brokered through a Unix domain socket connected to a proxy that enforces an allowlist. Anthropic published the runtime as open source so other agent frameworks can adopt it.[3]
Auto mode, announced on March 25, 2026, requires Claude Code v2.1.83 or later and is positioned as the recommended replacement for --dangerously-skip-permissions for most workflows.[4] It uses a two-layered defense:
The classifier blocks high-risk actions by default:
curl | bash)mainAuto mode is available on Max, Team, Enterprise, and API plans (not Pro), and only with Sonnet 4.6, Opus 4.6, or Opus 4.7 on the Anthropic API. Bedrock and Vertex are not supported.[2]
| Concern | --dangerously-skip-permissions | auto mode | Sandboxed Bash |
|---|---|---|---|
| Prompts the user | Never (except protected paths) | Never (with classifier oversight) | Only for actions outside sandbox |
| Protects against prompt injection | No | Partial (classifier and probe) | Partial (filesystem and network confined) |
| Requires specific plan | No | Max, Team, Enterprise, API | No |
| Recommended for host machine | No | Yes | Yes |
| Adds latency | None | Classifier round-trip | Minimal |
| Available since | Original release | March 2026 | October 2025 |
Permission Modes Reference: code.claude.com/docs/en/permission-modes[2]
Permissions Configuration: code.claude.com/docs/en/permissions[14]
Sandboxing Documentation: code.claude.com/docs/en/sandboxing
Auto Mode Engineering Blog: anthropic.com/engineering/claude-code-auto-mode[4]
Sandboxing Engineering Blog: anthropic.com/engineering/claude-code-sandboxing[3]
Best Practices Guide: anthropic.com/engineering/claude-code-best-practices[8]
Devcontainer Reference: code.claude.com/docs/en/devcontainer[15]
Anthropic strongly recommends:
Using only in Docker containers, VMs, or devcontainers without unrestricted internet access
Implementing the official devcontainer reference configuration for unattended runs
Preferring auto mode for interactive workflows that need fewer prompts
Using sandboxed Bash on the host when full isolation is impractical
Maintaining comprehensive backup strategies regardless of mode
Layering granular allow/deny rules in settings.json rather than relying on bypass mode
Anthropic publishes an official devcontainer setup at github.com/anthropics/claude-code/.devcontainer. It includes three components:[15]
| File | Purpose |
|---|---|
devcontainer.json | Container settings, extensions, volume mounts |
Dockerfile | Image definition (Node.js 20, ZSH, fzf, git, gh) |
init-firewall.sh | iptables rules and ipset of allowed domains |
The firewall enforces a default-deny outbound policy and only resolves a small allowlist of domains: registry.npmjs.org, api.anthropic.com, statsig.com, plus dynamic GitHub IP ranges fetched from the GitHub /meta API. DNS and SSH are allowed; everything else is blocked. The init-firewall.sh script runs at container start and validates the rule set before Claude Code is allowed to launch.[15]
Anthropic notes that even with the devcontainer, a malicious project can still exfiltrate anything reachable inside the container, including Claude Code credentials. The recommendation is to use devcontainers only with trusted repositories.[15]
For users running Claude Code outside the official devcontainer, several community and OS-level tools provide isolation:
| Tool | Platform | Mechanism | Notes |
|---|---|---|---|
| Anthropic devcontainer | Cross-platform (Docker) | Docker + iptables firewall | Official, recommended for VS Code workflows |
Claude Code /sandbox | macOS, Linux | Seatbelt or bubblewrap | Built-in since October 2025 |
claude-sandbox (kohkimakimoto) | macOS | sandbox-exec profile | Restricts filesystem to working dir |
claude-code-sandbox (neko-kai) | macOS | sandbox-exec profile | Read-restriction focus |
sandvault (webcoyote) | macOS | Dedicated user account + sandbox-exec | Works for Claude Code, Codex, Cursor, Gemini |
| Apple Containerization | macOS | Lightweight VM | Released 2025, suited for stronger isolation |
| Firecracker microVMs | Linux | KVM microVMs | Used by some CI providers for ephemeral runs |
| GitHub Codespaces | Cloud | Container in cloud VM | Disposable by design |
Each of these reduces but does not eliminate the risks of bypass mode. None of them stop a malicious instruction from misusing tools that the sandbox legitimately permits, which is why Anthropic positions auto mode as a complementary defense.
Claude Code is Anthropic's terminal-based AI coding assistant that:
Provides CLI-first development workflows
Integrates with VS Code, Cursor, and JetBrains IDEs
Supports Model Context Protocol (MCP) for extensibility
Offers sophisticated context management
Supports headless and remote-control modes for cloud and CI use
| Tool | Equivalent flag or mode | Comparison |
|---|---|---|
| Cursor | "YOLO mode" toggle | Similar full-bypass behavior, fewer granular controls |
| GitHub Copilot Workspace | N/A (inline suggestions) | No autonomous shell execution |
| OpenAI Codex CLI | --auto-edit, --full-auto | Comparable risk profile in full-auto |
| Aider | --yes-always | Skips confirmations for edits and commands |
# Granular permissions (recommended for trusted workflows)
claude --allowedTools "Edit,Bash(git:*),Read"
# Plan first, then approve
claude --permission-mode plan
# Auto mode with classifier oversight (recommended replacement)
claude --permission-mode auto
# Locked-down CI
claude --permission-mode dontAsk -p "run lints"
Accidental data destruction by unconstrained shell commands
Exposure of sensitive information through tool calls
Damage to system configuration
Malicious repository content
Compromised npm or pip dependencies
Prompt injection via documentation, READMEs, web pages, or MCP tool outputs
Full access to user-accessible files
Network access for data transmission
Process manipulation capabilities[1]
docker run -it --rm \
-v "$(pwd):/workspace" \
--network none \
--read-only \
claude-container
Hourly snapshots (Arq, Time Machine, ZFS snapshots)
Git commit before sessions
Cloud backup synchronization
Firewall rules limiting outbound traffic to a domain allowlist
DNS filtering for known threats
Outbound proxy with logging
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [{ "type": "command", "command": "/usr/local/bin/cmd-guard.sh" }]
}
]
}
}
A PreToolUse hook can block dangerous commands such as rm -rf or sudo even when bypass mode is active.[16]
Use default or acceptEdits for routine work
Try auto mode before reaching for bypass
Reserve bypass mode for tasks running inside a sandbox
Maintain comprehensive backups
Commit before each agentic session
Work in disposable environments (containers, VMs, ephemeral cloud)
Enable verbose logging with --verbose
Review the session transcript before leaving the machine unattended
Audit file modifications via git diff
Establish clear usage guidelines
Mandate containerization or sandboxing requirements
Define acceptable use cases (CI, devcontainers, dedicated VMs)
Provide secure container environments by default
Implement centralized logging of CLI sessions
Offer backup automation for developer machines
Security awareness covering prompt injection
Best practices documentation
Incident response procedures
Set permissions.disableBypassPermissionsMode to "disable" to forbid the mode entirely
Use autoMode.environment to declare trusted internal infrastructure for auto mode
Enforce defaultMode per-team via managed settings[2]
| Project | Type | What it provides |
|---|---|---|
claude-code-yolo | Docker wrapper | Full containerization with credential passthrough[17] |
claude-docker | Docker template | Development environment isolation |
claude-sandbox | macOS sandbox-exec wrapper | Restricts filesystem reach |
sandvault | macOS user + sandbox-exec | Runs multiple agents (Claude, Codex, Cursor, Gemini) safely |
| Custom hooks | Shell scripts | PreToolUse blocks for dangerous commands |
# Selective permission bypass
--allowedTools "Edit,Write,Bash(git:*)"
# Explicit tool blocking
--disallowedTools "Bash(rm:*),Bash(curl:*)"
# Choose a permission mode
--permission-mode default|acceptEdits|plan|auto|dontAsk|bypassPermissions
# Add bypass to the cycle without entering it
--allow-dangerously-skip-permissions
# Debug MCP permissions
--mcp-debug
# Headless automation
-p, --print "prompt"
# Output formatting
--output-format json
--input-format stream-json
# Context management
--continue
--resume <session-id>
--add-dir <path>
# View current permissions
claude config get allowedTools
# Manage MCP servers
claude mcp list
claude mcp add <name> <command>
# Inspect auto mode defaults
claude auto-mode defaults
The --dangerously-skip-permissions flag remains a powerful but high-risk feature in Claude Code. It exists because there are legitimate scenarios, such as ephemeral CI runners, devcontainers, and disposable VMs, where the prompt-by-prompt approval flow is impractical. Outside those scenarios, both Anthropic's documentation and the community's incident record point to the same conclusion: do not run the flag on a host machine.
Since 2025 the practical answer for most users has shifted. Sandboxed Bash gives a host-friendly safety boundary at the OS level, while auto mode gives an interactive workflow with classifier-based oversight that catches the actions most likely to cause harm. For developers who still need full bypass, the official devcontainer with the published firewall remains the safest officially supported path.
The patterns that grew up around this flag, balancing automation with safety, layered sandboxes, hook-based deny lists, and graduated trust models, will continue to shape how agentic AI tools are deployed.