Claude Code --dangerously-skip-permissions: What It Does, Real Risks & How to Use It Safely (2025)
A complete guide to claude code dangerously-skip-permissions — what it does, real risks, safe Docker setup, and better alternatives like auto mode.
PP
Pulkit Porwal
Apr 5, 2026•8 min read
On this page
If you have been using Claude Code for more than a day, you have probably already hit that wall. You give the AI a big task, walk away, and come back to find it stuck at step two, waiting for you to click "allow" on a mkdir command. That frustration is exactly why the --dangerously-skip-permissions flag exists. But the word "dangerously" in the name is not a joke. Real developers have lost entire home directories because of it. I have come very close myself. This article covers everything you need to know — what the flag actually does, the horror stories behind it, how to use it without destroying your machine, and the smarter alternatives that are now available in 2025.
What Is Claude Code --dangerously-skip-permissions?
Claude Code is a terminal-based AI coding assistant made by Anthropic. By default, it asks for your approval before doing anything that touches your system — running a bash command, editing a file, making a network request. That behavior exists for a very good reason. But when you are trying to automate a large task, those constant permission prompts become a serious problem.
The --dangerously-skip-permissions flag (also written as --permission-mode bypassPermissions) tells Claude Code to skip all of those prompts and just execute. Every action happens immediately with no confirmation dialog, no pause, no chance for you to catch a bad command before it fires. Anthropic calls this mode "YOLO mode" or "bypassPermissions mode." The flag was designed specifically for headless, non-interactive environments — think CI/CD pipelines, GitHub Actions, or Docker containers where there is no human sitting at a keyboard to click "allow."
Here is the basic syntax:
claude --dangerously-skip-permissions "Fix all lint errors" claude --permission-mode bypassPermissions "Generate boilerplate for new module" Both commands do identical things. The first is just shorthand.
One important detail that most guides skip over: when you enable bypass mode, all subagents inherit it too. If Claude spawns a subagent to handle part of a task, that subagent gets the same full, unsupervised system access. You cannot override this. It is documented in the official SDK, but it is buried deep enough that most developers miss it entirely. To learn more about how Claude Code compares to other AI coding tools, check out this Claude Code vs Cursor 2026 comparison.
The Real Risks: What Can Actually Go Wrong
I want to be specific here because most articles about this topic are frustratingly vague. "Bad things could happen" is not useful. Here is what actually happens.
The most famous case is developer Mike Wolak's incident in October 2025. He was working on a firmware project in a nested directory on Ubuntu/WSL2. Claude Code executed an rm -rf starting from the root directory (/). His GitHub bug report documents it in detail — error logs showed thousands of "Permission denied" messages for system paths like /bin, /boot, and /etc. The command literally tried to delete everything on the machine. The only thing that saved his system was that those paths were protected at the OS level. His project directory was not so lucky.
Beyond that single incident, a study found that 32% of developers using --dangerously-skip-permissions experienced at least one unintended file modification, and 9% reported data loss. Here are the specific failure patterns I have seen and heard about firsthand:
- Scope creep deletions — Claude decides a config file is "related" to your task and removes it without warning
- Home directory wipes — Tilde expansion bugs turning ~/project cleanup into ~ deletion
- Prompt injection attacks — Malicious text hidden inside files you feed to Claude, instructing it to exfiltrate your credentials
- Runaway API costs — Autonomous sessions that spin up dozens of subagents and burn through your budget while you sleep
- Untrusted repo attacks — A malicious CLAUDE.md or .claude/settings.json in a cloned repo silently instructing Claude to do harmful things
Even Anthropic's own engineers acknowledge the danger. Their February 2026 blog post about building a C compiler with parallel Claude agents showed their autonomous loop running this flag — immediately followed by the note: "Run this in a container, not your actual machine." The people who built the tool will not run it on bare metal. That tells you everything.
How to Use --dangerously-skip-permissions Safely
If you genuinely need this flag — for a CI pipeline, a bulk refactor, or automated test-driven development — there is a way to use it without putting your machine at risk. The key word is isolation. Never run this flag directly on your host machine. Full stop.
Here is the safe Docker setup that I use and recommend:
docker run -it --rm -v $(pwd):/workspace --network none claude-code:latest --dangerously-skip-permissions "Your task here"
Breaking that command down:
- -v $(pwd):/workspace — Only mounts your current project directory, not your entire filesystem
- --network none — Completely cuts off internet access, preventing data exfiltration
- --rm — Automatically deletes the container after the task finishes, so nothing persists
Beyond Docker, here are the other safety layers you should always stack on top:
- Git checkpoints before you start — Run git add -A && git commit -m "Checkpoint pre-Claude" so you can always roll back
- Block dangerous tools explicitly — Use --disallowedTools "Bash(rm:*)" to block rm even in bypass mode. Note: --allowedTools has a documented bug where it may be ignored in bypassPermissions mode — --disallowedTools works correctly in all modes
- Set a budget limit — Add --max-budget-usd 5.00 to prevent runaway API spending during long autonomous sessions
- Scope your prompt tightly — "Fix all lint errors in /src/components" is far safer than "Clean up the codebase"
- Ask Claude to log its changes — A prompt like "document every file you modify" gives you a readable audit trail after the session ends
For more information on the broader AI tool landscape this flag operates within, see this overview of the most advanced AI in the world and how Claude fits into it.
Safer Alternatives You Should Know About
The good news is that in 2025, you do not have to choose between constant permission interruptions and full YOLO mode. Anthropic has shipped several middle-ground options that are genuinely useful. I have switched my daily workflow away from --dangerously-skip-permissions almost entirely because of these.
Auto Mode (Recommended for most use cases)
This is the best option available right now. Auto mode uses an AI classifier to evaluate every action before it runs. Safe, low-risk actions like reading files, running tests, or committing to your working branch are auto-approved. High-risk actions — anything touching shared infrastructure, running external code, or bypassing safety checks — get flagged and sent to you. If the session accumulates 3 consecutive denials or 20 total, it escalates to you automatically. It gives you most of the speed of bypass mode with real safety guardrails. Enable it with --enable-auto-mode or set "defaultMode": "auto" in your Claude Code settings.json.
acceptEdits Mode
This mode auto-approves all file edits but still prompts you before running any shell commands. It is a solid middle ground for tasks that are mostly code changes with minimal bash involvement. Activate it by pressing Shift+Tab to cycle to "auto-accept edits" in the status bar.
AllowedTools Config
You can whitelist specific safe operations in your ~/.claude.json file. For example, you can allow Bash(git commit *) and Bash(npm test) without opening up everything. This approach is actually better than bypass mode for regular workflows because it is explicit, auditable, and persistent across sessions.
Plan Mode
Claude generates a complete read-only plan of what it wants to do before touching anything. You review and approve the plan first. Great for complex refactors where you want to understand the full scope before giving the green light. Compare how these permission approaches stack up in the broader AI coding tool market via the LMSYS Chatbot Arena Leaderboard.
When Is --dangerously-skip-permissions Actually the Right Choice?
Despite the risks, there are legitimate scenarios where this flag is the correct tool. I want to be honest about that rather than just telling you to never use it. The flag is not as dangerous as the name implies — if you have the right safety nets in place first.
Here are the four scenarios where I think it is genuinely justified:
- CI/CD Pipelines — Automated systems literally cannot click "approve." If Claude Code runs inside GitHub Actions or GitLab CI, the pipeline itself acts as your permission layer. The flag is necessary and the environment is controlled.
- Fully Isolated Containers — If you are running inside a Docker container with a default-deny firewall, no access to production credentials, and a limited volume mount, the container is your sandbox. The permission system adds no extra protection in that case.
- Bulk Safe Transformations — Processing hundreds of files with a known-safe operation (adding license headers, updating import paths, fixing formatting) does not require human approval at each step. Git is your undo button.
- Test-Driven Development Loops — The classic Anthropic-recommended pattern: write failing tests first, commit them, then run Claude in bypass mode with the single task of making those tests pass. The tests themselves act as your guardrails.
What it is not right for: any machine that has SSH keys to production servers, AWS credentials in ~/.aws, database connection strings, or any sensitive data Claude could accidentally touch or exfiltrate. For those situations, use auto mode or a properly scoped AllowedTools config. If you are evaluating different LLM providers for building automated pipelines like this, this rundown of the 8 best free LLM API providers is worth reading.
For the official documentation on all permission modes, see Anthropic's Claude Code security docs and the official permission modes reference. You can also follow the community discussion on the Claude Code GitHub repository.
My Personal Recommendation After Using This Daily
I have been using Claude Code heavily since it launched and I have made the mistake of running --dangerously-skip-permissions on my host machine more than once. Nothing catastrophic happened to me personally, but I got lucky. I have seen what happens when it goes wrong for other people and it is genuinely awful.
Here is my honest recommendation based on real-world usage:
- For daily development work — Switch to auto mode. It is faster than constant prompts and safer than bypass mode. The AI classifier is good enough that you will barely notice the difference in speed.
- For CI/CD pipelines — Use --dangerously-skip-permissions inside a properly locked-down container. That is exactly what it was built for.
- For big one-off refactors — Run it in Docker with --network none, always commit a checkpoint first, and scope your prompt so tightly that Claude has no room to improvise.
- For anything involving sensitive files or credentials — Do not use it at all. Use AllowedTools or plan mode instead.
The flag is a tool. Like any powerful tool, using it carelessly causes damage. But used in the right context with the right safety setup, it genuinely accelerates the kind of large-scale autonomous coding tasks that would otherwise take hours of manual supervision. Just run it in a container, commit your work first, and block rm. Those three things alone will save you from 95% of the disasters people run into.