# Claude --dangerously-skip-permissions > Source: https://aiwiki.ai/wiki/claude_--dangerously-skip-permissions > Updated: 2026-04-26 > Categories: Anthropic > From AI Wiki (https://aiwiki.ai), a free encyclopedia of artificial intelligence. Quote with attribution. *See also: [Claude](/wiki/claude), [Claude Code](/wiki/claude_code), [Anthropic](/wiki/anthropic)* The **claude --dangerously-skip-permissions** flag is an officially documented command-line option for [Claude Code](/wiki/claude_code), [Anthropic](/wiki/anthropic)'s terminal-based [AI](/wiki/ai) coding assistant.[1] This flag bypasses all permission prompts, allowing Claude Code to execute commands and modify files without user approval. It is equivalent to entering Claude Code's `bypassPermissions` permission mode and is sometimes referred to in the developer community as "YOLO mode."[2] While Anthropic designed the flag for containerized environments without internet access, it became widely adopted by developers seeking uninterrupted [AI](/wiki/ai)-assisted coding workflows. Since the introduction of [Claude Code](/wiki/claude_code) sandboxing in October 2025 and the release of auto mode in March 2026, Anthropic has officially recommended safer alternatives for most use cases.[3][4] ## What This Command Does ### Core Functionality The `--dangerously-skip-permissions` flag completely disables Claude Code's permission system, granting unrestricted access to: - **File System Operations**: Read, write, edit, and delete files without approval - **Shell Command Execution**: Run any bash commands without confirmation - **Network Operations**: Fetch web content and make network requests freely - **Process Control**: Start, stop, and manipulate system processes - **Tool Usage**: Execute all available tools without permission checks[5] ### Visual Indicator When active, [Claude Code](/wiki/claude_code) displays a status bar warning: ``` WARNING: Claude Code running in Bypass Permissions mode ``` The CLI also shows a one-time confirmation prompt the first time the flag is used in a session, requiring the user to acknowledge the risk before commands execute. The prompt explicitly states that Anthropic does not recommend running the flag on a host machine and links to the security documentation.[1] ### Relationship to bypassPermissions Mode The flag is functionally identical to launching [Claude Code](/wiki/claude_code) with `--permission-mode bypassPermissions` or setting `"defaultMode": "bypassPermissions"` in `settings.json`. All three entry points activate the same internal mode. The mode disables every permission check except writes to a small set of protected paths.[2] Protected paths that still prompt even in bypass mode include: | Type | Path | Purpose | |------|------|---------| | Directory | `.git` | Repository state | | Directory | `.vscode`, `.idea` | Editor configuration | | Directory | `.husky` | Git hooks | | Directory | `.claude` (except `commands`, `agents`, `skills`, `worktrees`) | Claude Code config | | File | `.gitconfig`, `.gitmodules` | Git settings | | File | `.bashrc`, `.zshrc`, `.profile` | Shell startup | | File | `.mcp.json`, `.claude.json` | [MCP](/wiki/model_context_protocol) and Claude config | These paths are guarded in every mode and are never auto-approved.[2] ## Purpose and Functionality ### Official Purpose According to Anthropic's documentation, this flag is intended only for "isolated environments like containers, VMs, or devcontainers without internet access, where Claude Code cannot damage your host system."[2] Typical sanctioned use cases include: - **Automated Workflows**: Unattended code generation and modification - **CI/CD Integration**: Headless operation in build pipelines - **Batch Processing**: Large-scale automated refactoring - **Testing Automation**: Continuous test generation and execution ### Real-World Application Developers have expanded usage beyond official recommendations for:[6] - **Productivity Enhancement**: Eliminating "permission fatigue" from constant approval prompts - **Complex Multi-Step Operations**: Enabling Claude to complete lengthy tasks without interruption - **Development Workflow Transformation**: Shifting from IDE-centric to AI-first development patterns - **Parallel Agent Loops**: Running many [Claude Code](/wiki/claude_code) instances in a bash while-loop, a pattern popularized by Anthropic researchers (with the explicit caveat to run inside a container, not on a host)[7] ## When and How It's Used ### Command Syntax ```bash # Basic usage claude --dangerously-skip-permissions # With additional options claude --dangerously-skip-permissions --model sonnet --verbose # Headless mode for automation claude -p "fix all lint errors" --dangerously-skip-permissions --output-format json # Equivalent permission-mode invocation claude --permission-mode bypassPermissions # Add the mode to the Shift+Tab cycle without activating it claude --allow-dangerously-skip-permissions ``` The `--allow-dangerously-skip-permissions` variant introduced alongside the v2.1 permission-mode rework lets the user opt in to having bypass mode appear in the Shift+Tab cycle while starting the session in a safer mode. This makes it easier to switch into bypass mode for a specific risky operation without committing the entire session to it.[2] ### Common Use Cases 1. **Automated Code Maintenance** - Fixing lint errors across entire codebases - Updating dependencies and resolving conflicts - Refactoring legacy code patterns 2. **Content Generation** - Creating boilerplate code and project scaffolding - Generating comprehensive test suites - Writing documentation and API specifications 3. **System Administration** - Automating development environment setup - Managing dotfiles and configurations - Performing bulk file operations 4. **CI/CD Automation** - Automated PR reviews and labeling - Pre-commit hook execution - Build script optimization[8] 5. **GitHub Actions and Cloud Runners** - Running [Claude Code](/wiki/claude_code) inside ephemeral Linux runners that are destroyed after each job - Combining with the Anthropic-published GitHub Action for issue triage and PR review ### Developer Workflows Many developers create aliases for convenience:[6] ```bash alias cc="claude --dangerously-skip-permissions" alias claude-yolo="claude --dangerously-skip-permissions" ``` While these aliases are popular, they remove the friction that protects against accidental use on the host machine. Several community write-ups recommend instead aliasing the flag to a sandbox wrapper such as `claude-sandbox` or a Docker invocation, so that the alias still requires the user to be inside a disposable environment before commands run.[9] ## Associated Risks and Warnings ### Critical Security Risks 1. **Data Loss**: Potential for irreversible file deletion or corruption 2. **System Compromise**: Unrestricted command execution can damage system integrity 3. **Data Exfiltration**: Vulnerability to [prompt injection](/wiki/prompt_injection) attacks that steal sensitive data 4. **Malware Installation**: Possibility of downloading and executing malicious code 5. **Credential Exposure**: Risk of exposing API keys, passwords, and secrets[1] ### Documented Real-World Incidents A growing record of community-reported incidents illustrates the concrete failure modes of running the flag on a host machine: | Date | Incident | Outcome | |------|----------|---------| | October 2025 | A user reported [Claude Code](/wiki/claude_code) executing `rm -rf /` from a root shell. Thousands of "permission denied" errors protected system files but every user-owned file was destroyed.[10] | Loss of all user data on the machine | | December 2025 | A user asked [Claude Code](/wiki/claude_code) to "clean up packages." The model generated `rm -rf tests/ patches/ plan/ ~/`. The trailing `~/` expanded to the entire home directory. | Loss of desktop files, Keychain, and application data | | March 2026 | Oasis Security disclosed the "Claudy Day" trio of vulnerabilities affecting [Claude.ai](/wiki/claude_ai). Hidden HTML in `claude.ai/new?q=...` URLs could inject prompts that exfiltrated chat history to an attacker-controlled Anthropic account via the Files API.[11] | Silent data exfiltration | | 2026 | PromptArmor demonstrated file exfiltration in Claude Cowork via indirect prompt injection, using a curl command to upload files to the attacker's Anthropic account.[12] | File leak via attacker API key | These incidents share a common thread: bypass mode (or an equivalent loosely-permissioned environment) removed the human checkpoint that would have caught the malicious instruction or destructive command before it ran. ### Official Warnings Anthropic's documentation explicitly states: > "bypassPermissions offers no protection against prompt injection or unintended actions. For background safety checks without prompts, use auto mode instead."[2] > "Letting Claude run arbitrary commands is risky and can result in data loss, system corruption, or even data exfiltration (for example via [prompt injection](/wiki/prompt_injection) attacks)."[1] ### Attack Vectors - **[Prompt injection](/wiki/prompt_injection)**: Malicious instructions hidden in files, web pages, READMEs, issue comments, or fetched dependencies - **Command Chaining**: Complex attack sequences that bypass simple deny rules - **Persistence Mechanisms**: Installation of backdoors, cron jobs, or shell hooks - **Privilege Escalation**: Inheriting elevated permissions when run as root - **Credential Theft via Network Egress**: Reading `.env`, `~/.aws/credentials`, or SSH keys and POSTing them to a remote endpoint[13] ## Technical Documentation ### Permission System Architecture [Claude Code](/wiki/claude_code) uses a configurable permission system that is completely bypassed when using this flag. The full set of permission modes available as of 2026 is summarized below:[2] | Mode | What runs without prompting | Best for | |------|----------------------------|----------| | `default` | Reads only | Sensitive work, getting started | | `acceptEdits` | Reads, edits, common filesystem commands (`mkdir`, `touch`, `mv`, `cp`, `sed`) | Iterating on code you review afterward | | `plan` | Reads only, no edits | Exploring a codebase before changing it | | `auto` | Everything, screened by a classifier model | Long autonomous tasks | | `dontAsk` | Only pre-approved tools, no prompts | Locked-down CI pipelines | | `bypassPermissions` | Everything except protected paths | Isolated containers and VMs only | Cycling through modes during a session is done with `Shift+Tab`. The `bypassPermissions` and `auto` modes only appear in the cycle if the relevant enabling flag is passed at startup.[2] ### Permission Rule Layering In every mode except `bypassPermissions`, additional `allow`, `ask`, and `deny` rules can be layered on top via `settings.json`: ```json { "permissions": { "defaultMode": "default", "allow": ["Bash(npm run *)", "Bash(git status)"], "deny": ["Bash(rm *)", "Bash(curl *)"], "ask": ["Bash(git push *)"] } } ``` The `bypassPermissions` mode skips the permission rule layer entirely, which means even `deny` rules written in `settings.json` are not enforced when the flag is active. Administrators who want to prevent the mode from being used at all can set `permissions.disableBypassPermissionsMode` to `"disable"` in managed settings.[2] ### Implementation Details - **Affected Tools**: Edit, Write, Bash, WebFetch, WebSearch, [MCP](/wiki/model_context_protocol) servers, sub-agents - **Scope**: All operations execute without approval prompts, except writes to protected paths - **Persistence**: Flag must be specified each session, or `defaultMode` set in `settings.json` - **Configuration**: Cannot be permanently set per-project for safety; must be explicitly opted into[14] ### Integration with Other Features Works with [Claude Code](/wiki/claude_code)'s ecosystem: - **[MCP](/wiki/model_context_protocol) Servers**: All [MCP](/wiki/model_context_protocol) tools execute without permission - **Slash Commands**: Custom commands run unrestricted - **Hooks**: `PreToolUse` and `PostToolUse` hooks still fire and remain the primary mechanism for adding custom safety logic - **Headless Mode**: Combines with `-p` for full automation - **Sub-agents**: Inherited permission state means a sub-agent spawned in bypass mode also runs unrestricted[5] ## Safer Alternatives Introduced in 2025-2026 Anthropic has invested heavily in alternatives that capture most of the workflow benefit of bypass mode without removing the safety net. ### Sandboxed Bash (October 2025) The `/sandbox` feature, announced October 20, 2025, uses operating-system primitives to confine [Claude Code](/wiki/claude_code)'s shell tool. It reduced permission prompts by 84% in Anthropic's internal usage.[3] | Platform | Underlying technology | What it isolates | |----------|----------------------|------------------| | macOS | Seatbelt (`sandbox-exec`) | Filesystem outside the working directory, network | | Linux | bubblewrap | Filesystem outside the working directory, network | Inside the sandbox, the shell tool is restricted to read/write within the current working directory, and network access is brokered through a Unix domain socket connected to a proxy that enforces an allowlist. Anthropic published the runtime as open source so other agent frameworks can adopt it.[3] ### Auto Mode (March 2026) Auto mode, announced on March 25, 2026, requires [Claude Code](/wiki/claude_code) v2.1.83 or later and is positioned as the recommended replacement for `--dangerously-skip-permissions` for most workflows.[4] It uses a two-layered defense: 1. **Server-side prompt-injection probe**: Scans tool outputs before they reach the agent 2. **Transcript classifier (Claude Sonnet 4.6)**: A separate model evaluates each pending action against a fast single-token filter, with chain-of-thought reasoning only if flagged The classifier blocks high-risk actions by default: - Downloading and executing code (`curl | bash`) - Sending sensitive data to external endpoints - Production deploys and migrations - Mass deletion on cloud storage - IAM or repo permission changes - Force push or pushing directly to `main` - Irreversibly destroying files that pre-dated the session Auto mode is available on Max, Team, Enterprise, and API plans (not Pro), and only with Sonnet 4.6, Opus 4.6, or Opus 4.7 on the Anthropic API. Bedrock and Vertex are not supported.[2] ### Comparison of Modes | Concern | `--dangerously-skip-permissions` | `auto` mode | Sandboxed Bash | |---------|-----------------------------------|--------------|----------------| | Prompts the user | Never (except protected paths) | Never (with classifier oversight) | Only for actions outside sandbox | | Protects against [prompt injection](/wiki/prompt_injection) | No | Partial (classifier and probe) | Partial (filesystem and network confined) | | Requires specific plan | No | Max, Team, Enterprise, API | No | | Recommended for host machine | No | Yes | Yes | | Adds latency | None | Classifier round-trip | Minimal | | Available since | Original release | March 2026 | October 2025 | ## Official Anthropic Documentation ### Primary Sources 1. **Permission Modes Reference**: `code.claude.com/docs/en/permission-modes`[2] 2. **Permissions Configuration**: `code.claude.com/docs/en/permissions`[14] 3. **Sandboxing Documentation**: `code.claude.com/docs/en/sandboxing` 4. **Auto Mode Engineering Blog**: `anthropic.com/engineering/claude-code-auto-mode`[4] 5. **Sandboxing Engineering Blog**: `anthropic.com/engineering/claude-code-sandboxing`[3] 6. **Best Practices Guide**: `anthropic.com/engineering/claude-code-best-practices`[8] 7. **Devcontainer Reference**: `code.claude.com/docs/en/devcontainer`[15] ### Official Recommendations Anthropic strongly recommends: - Using only in Docker containers, VMs, or devcontainers without unrestricted internet access - Implementing the official devcontainer reference configuration for unattended runs - Preferring auto mode for interactive workflows that need fewer prompts - Using sandboxed Bash on the host when full isolation is impractical - Maintaining comprehensive backup strategies regardless of mode - Layering granular `allow`/`deny` rules in `settings.json` rather than relying on bypass mode ### Container Reference Implementation Anthropic publishes an official devcontainer setup at `github.com/anthropics/claude-code/.devcontainer`. It includes three components:[15] | File | Purpose | |------|---------| | `devcontainer.json` | Container settings, extensions, volume mounts | | `Dockerfile` | Image definition (Node.js 20, ZSH, fzf, git, gh) | | `init-firewall.sh` | iptables rules and ipset of allowed domains | The firewall enforces a default-deny outbound policy and only resolves a small allowlist of domains: `registry.npmjs.org`, `api.anthropic.com`, `statsig.com`, plus dynamic GitHub IP ranges fetched from the GitHub `/meta` API. DNS and SSH are allowed; everything else is blocked. The `init-firewall.sh` script runs at container start and validates the rule set before [Claude Code](/wiki/claude_code) is allowed to launch.[15] Anthropic notes that even with the devcontainer, a malicious project can still exfiltrate anything reachable inside the container, including [Claude Code](/wiki/claude_code) credentials. The recommendation is to use devcontainers only with trusted repositories.[15] ## Sandboxing Tooling Comparison For users running [Claude Code](/wiki/claude_code) outside the official devcontainer, several community and OS-level tools provide isolation: | Tool | Platform | Mechanism | Notes | |------|----------|-----------|-------| | Anthropic devcontainer | Cross-platform (Docker) | Docker + iptables firewall | Official, recommended for VS Code workflows | | [Claude Code](/wiki/claude_code) `/sandbox` | macOS, Linux | Seatbelt or bubblewrap | Built-in since October 2025 | | `claude-sandbox` (kohkimakimoto) | macOS | `sandbox-exec` profile | Restricts filesystem to working dir | | `claude-code-sandbox` (neko-kai) | macOS | `sandbox-exec` profile | Read-restriction focus | | `sandvault` (webcoyote) | macOS | Dedicated user account + `sandbox-exec` | Works for [Claude Code](/wiki/claude_code), Codex, Cursor, Gemini | | Apple Containerization | macOS | Lightweight VM | Released 2025, suited for stronger isolation | | Firecracker microVMs | Linux | KVM microVMs | Used by some CI providers for ephemeral runs | | GitHub Codespaces | Cloud | Container in cloud VM | Disposable by design | Each of these reduces but does not eliminate the risks of bypass mode. None of them stop a malicious instruction from misusing tools that the sandbox legitimately permits, which is why Anthropic positions auto mode as a complementary defense. ## Context Within the Claude Code Ecosystem ### Claude Code Overview [Claude Code](/wiki/claude_code) is Anthropic's terminal-based [AI](/wiki/ai) coding assistant that: - Provides CLI-first development workflows - Integrates with VS Code, Cursor, and JetBrains IDEs - Supports Model Context Protocol ([MCP](/wiki/model_context_protocol)) for extensibility - Offers sophisticated context management - Supports headless and remote-control modes for cloud and CI use ### Relationship to Other Tools | Tool | Equivalent flag or mode | Comparison | |------|------------------------|------------| | Cursor | "YOLO mode" toggle | Similar full-bypass behavior, fewer granular controls | | [GitHub Copilot](/wiki/github_copilot) Workspace | N/A (inline suggestions) | No autonomous shell execution | | OpenAI Codex CLI | `--auto-edit`, `--full-auto` | Comparable risk profile in full-auto | | Aider | `--yes-always` | Skips confirmations for edits and commands | ### Alternative Approaches in Plain Settings ```bash # Granular permissions (recommended for trusted workflows) claude --allowedTools "Edit,Bash(git:*),Read" # Plan first, then approve claude --permission-mode plan # Auto mode with classifier oversight (recommended replacement) claude --permission-mode auto # Locked-down CI claude --permission-mode dontAsk -p "run lints" ``` ## Security Implications ### Threat Model 1. **Immediate Risks** - Accidental data destruction by unconstrained shell commands - Exposure of sensitive information through tool calls - Damage to system configuration 2. **Attack Surface** - Malicious repository content - Compromised npm or pip dependencies - [Prompt injection](/wiki/prompt_injection) via documentation, READMEs, web pages, or [MCP](/wiki/model_context_protocol) tool outputs 3. **Blast Radius** - Full access to user-accessible files - Network access for data transmission - Process manipulation capabilities[1] ### Mitigation Strategies 1. **Container Isolation** (Strongly Recommended) ```bash docker run -it --rm \ -v "$(pwd):/workspace" \ --network none \ --read-only \ claude-container ``` 2. **Backup Systems** - Hourly snapshots (Arq, Time Machine, ZFS snapshots) - Git commit before sessions - Cloud backup synchronization 3. **Network Restrictions** - Firewall rules limiting outbound traffic to a domain allowlist - DNS filtering for known threats - Outbound proxy with logging 4. **Hooks for Defense in Depth** ```json { "hooks": { "PreToolUse": [ { "matcher": "Bash", "hooks": [{ "type": "command", "command": "/usr/local/bin/cmd-guard.sh" }] } ] } } ``` A `PreToolUse` hook can block dangerous commands such as `rm -rf` or `sudo` even when bypass mode is active.[16] ## Best Practices for Usage ### For Individual Developers 1. **Start Conservative** - Use `default` or `acceptEdits` for routine work - Try auto mode before reaching for bypass - Reserve bypass mode for tasks running inside a sandbox 2. **Implement Safeguards** - Maintain comprehensive backups - Commit before each agentic session - Work in disposable environments (containers, VMs, ephemeral cloud) 3. **Monitor Activity** - Enable verbose logging with `--verbose` - Review the session transcript before leaving the machine unattended - Audit file modifications via `git diff` ### For Teams and Organizations 1. **Policy Development** - Establish clear usage guidelines - Mandate containerization or sandboxing requirements - Define acceptable use cases (CI, devcontainers, dedicated VMs) 2. **Infrastructure Support** - Provide secure container environments by default - Implement centralized logging of CLI sessions - Offer backup automation for developer machines 3. **Training and Education** - Security awareness covering [prompt injection](/wiki/prompt_injection) - Best practices documentation - Incident response procedures 4. **Managed Settings** - Set `permissions.disableBypassPermissionsMode` to `"disable"` to forbid the mode entirely - Use `autoMode.environment` to declare trusted internal infrastructure for auto mode - Enforce `defaultMode` per-team via managed settings[2] ### Community-Developed Solutions | Project | Type | What it provides | |---------|------|------------------| | `claude-code-yolo` | Docker wrapper | Full containerization with credential passthrough[17] | | `claude-docker` | Docker template | Development environment isolation | | `claude-sandbox` | macOS `sandbox-exec` wrapper | Restricts filesystem reach | | `sandvault` | macOS user + sandbox-exec | Runs multiple agents (Claude, Codex, Cursor, Gemini) safely | | Custom hooks | Shell scripts | `PreToolUse` blocks for dangerous commands | ## Related Commands and Flags ### Permission Management Flags ``` # Selective permission bypass --allowedTools "Edit,Write,Bash(git:*)" # Explicit tool blocking --disallowedTools "Bash(rm:*),Bash(curl:*)" # Choose a permission mode --permission-mode default|acceptEdits|plan|auto|dontAsk|bypassPermissions # Add bypass to the cycle without entering it --allow-dangerously-skip-permissions # Debug MCP permissions --mcp-debug ``` ### Workflow Enhancement Flags ``` # Headless automation -p, --print "prompt" # Output formatting --output-format json --input-format stream-json # Context management --continue --resume --add-dir ``` ### Configuration Commands ``` # View current permissions claude config get allowedTools # Manage MCP servers claude mcp list claude mcp add # Inspect auto mode defaults claude auto-mode defaults ``` ## Conclusion The `--dangerously-skip-permissions` flag remains a powerful but high-risk feature in [Claude Code](/wiki/claude_code). It exists because there are legitimate scenarios, such as ephemeral CI runners, devcontainers, and disposable VMs, where the prompt-by-prompt approval flow is impractical. Outside those scenarios, both Anthropic's documentation and the community's incident record point to the same conclusion: do not run the flag on a host machine. Since 2025 the practical answer for most users has shifted. Sandboxed Bash gives a host-friendly safety boundary at the OS level, while auto mode gives an interactive workflow with classifier-based oversight that catches the actions most likely to cause harm. For developers who still need full bypass, the official devcontainer with the published firewall remains the safest officially supported path. The patterns that grew up around this flag, balancing automation with safety, layered sandboxes, hook-based deny lists, and graduated trust models, will continue to shape how agentic [AI](/wiki/ai) tools are deployed. ## See Also - [Claude Code](/wiki/claude_code) - [Anthropic](/wiki/anthropic) - [Claude](/wiki/claude) - [Prompt injection](/wiki/prompt_injection) - [Model Context Protocol](/wiki/model_context_protocol) - [AI](/wiki/ai) ## External Links - [Choose a permission mode (official docs)](https://code.claude.com/docs/en/permission-modes) - [Configure permissions (official docs)](https://code.claude.com/docs/en/permissions) - [Sandboxing (official docs)](https://code.claude.com/docs/en/sandboxing) - [Devcontainer reference (official docs)](https://code.claude.com/docs/en/devcontainer) - [Claude Code auto mode (Anthropic engineering blog)](https://www.anthropic.com/engineering/claude-code-auto-mode) - [Claude Code sandboxing (Anthropic engineering blog)](https://www.anthropic.com/engineering/claude-code-sandboxing) - [Claude Code Best Practices (Anthropic engineering blog)](https://www.anthropic.com/engineering/claude-code-best-practices) - [Claude Code GitHub Repository](https://github.com/anthropics/claude-code) - [Anthropic devcontainer reference](https://github.com/anthropics/claude-code/tree/main/.devcontainer) ## References 1. Anthropic. "Claude Code security." `code.claude.com/docs/en/security` 2. Anthropic. "Choose a permission mode." `code.claude.com/docs/en/permission-modes` 3. Anthropic Engineering. "Making Claude Code more secure and autonomous." October 20, 2025. `anthropic.com/engineering/claude-code-sandboxing` 4. Anthropic Engineering. "Claude Code auto mode: a safer way to skip permissions." March 25, 2026. `anthropic.com/engineering/claude-code-auto-mode` 5. Anthropic. "Claude Code CLI reference." `code.claude.com/docs/en/cli-reference` 6. ClaudeLog. "Dangerous Skip Permissions." `claudelog.com/mechanics/dangerous-skip-permissions` 7. Anthropic Safeguards Team commentary on parallel agent loops; cited in community guides such as `ksred.com/claude-code-dangerously-skip-permissions` 8. Anthropic Engineering. "Claude Code Best Practices." `anthropic.com/engineering/claude-code-best-practices` 9. Kohki Makimoto. "claude-sandbox: Yet another sandboxing tool for Claude Code on macOS." `dev.to/kohkimakimoto` 10. Community-reported incident, October 2025; summarized in `gist.github.com/hartphoenix/698eb8ef8b08ad2ce6a99cf7346cd7cc` and `thomas-wiegold.com/blog/claude-code-dangerously-skip-permissions` 11. Oasis Security. "Claude.ai Prompt Injection Vulnerability ('Claudy Day')." `oasis.security/blog/claude-ai-prompt-injection-data-exfiltration-vulnerability` 12. PromptArmor. "Claude Cowork Exfiltrates Files." `promptarmor.com/resources/claude-cowork-exfiltrates-files` 13. TrueFoundry. "Prompt Injection and AI Agent Security Risks: A Claude Code Guide for Enterprise Teams." `truefoundry.com/blog/claude-code-prompt-injection` 14. Anthropic. "Configure permissions." `code.claude.com/docs/en/permissions` 15. Anthropic. "Development containers." `code.claude.com/docs/en/devcontainer` 16. Anthropic. "Hooks." `code.claude.com/docs/en/hooks` 17. Community project `claude-code-yolo` on GitHub; see also `github.com/webcoyote/sandvault` for related multi-agent sandboxing.