What --dangerously-skip-permissions does, and a safer way to run unattended
The Claude Code flag turns off every approval prompt. Here is what it disables and how to keep one gate while moving approvals to your phone.
--dangerously-skip-permissions turns off the approval prompt for every write and execute action Claude Code takes, so file writes, shell commands, and tool calls all run without asking you first. It is the same thing as --permission-mode bypassPermissions (Claude Code docs). People reach for it because the constant "allow this?" prompts kill the flow when an agent is doing real work. The problem is it removes the prompt for the harmless action and the destructive one at the same time.
Key takeaways
- The flag drops every approval at once. Reading a file and force-pushing to main get the same treatment, which is none.
- A few hard limits survive: deny rules and explicit ask rules still fire,
rm -rf /andrm -rf ~still prompt, and Claude Code refuses to start under root or sudo. - The safer pattern is to keep one gate on risky actions and answer the rare prompt from your phone, so you stay unblocked without going fully blind.
What the flag actually turns off
In normal use, Claude Code pauses and asks before it writes a file, runs a shell command, or calls a tool that changes something. bypassPermissions removes that pause. The agent runs to completion on its own.
A handful of guardrails do not go away. Per the official permission-modes doc, deny rules and explicit ask rules apply in every mode, including this one. So a deny rule still blocks a matching tool, and an ask rule still forces a prompt even with the flag on. Removals that target the filesystem root or home directory, like rm -rf / and rm -rf ~, still prompt as a circuit breaker against model error. And on Linux and macOS, Claude Code will not start in this mode when running as root or under sudo.
Those are narrow. Everything between "delete your entire home directory" and "read a file" runs silently.
Why people use it anyway
The honest reason is speed. When an agent is iterating on a test suite or refactoring across twenty files, approving each step by hand defeats the point of handing it off. So the flag gets switched on to make the agent fully autonomous.
Anthropic's own guidance is to run this mode inside an isolated environment, a container or dev container without network access, so a bad command cannot reach your host or your credentials (Claude Code docs). They have since shipped an auto mode aimed at the same speed without the all-or-nothing tradeoff (Anthropic engineering). Both point at the same conclusion: skipping every prompt on your real machine is the part that bites you.
A safer pattern: one gate, answers on your phone
You do not have to choose between a prompt on every action and a prompt on none. The middle is a policy that auto-approves the safe stuff and only stops you for the risky stuff.
That is what Pushary does. A per-tool permission policy matches on tool arguments, not just the tool name, so git status runs clean and git push waits for a yes. A read-only safe floor auto-approves proven read-only shell commands like cd, ls, cat, git log, and grep. That floor was decided from 1,721 real production questions, not a guess about what is safe.
When something does need a decision, it goes to your phone. You approve or deny from the lock screen, from push, from Slack, or from the native iOS and Android app, and the agent keeps moving the moment you tap. You stay out of the terminal without losing the one veto that matters.
If a session goes somewhere you do not like, an agent kill switch ends it from the same place. And every decision lands in an audit trail, so you can see what ran and who approved it after the fact.
A few honest limits. The iOS home-screen deep link is broken, so iPhone answers come through a pending-questions inbox instead of a tap-through link. Claude Desktop has no hooks, so its connector can notify and ask but cannot enforce a gate. The enforced gating runs through the CLI hook on Claude Code, Codex, Gemini CLI, Cursor, and Hermes.
Common questions
Is --dangerously-skip-permissions safe to use?
It is safe in an isolated container with no network access and no host mount, which is what Anthropic recommends. On your real machine with your real credentials, it removes the one check between the model and an irreversible action. The model does not have to be malicious for this to hurt. One wrong command runs with nothing to stop it.
What still prompts even with the flag on?
Deny rules, explicit ask rules, and root-level deletes like rm -rf / and rm -rf ~. Claude Code also refuses to start under root or sudo. Everything else runs without asking (Claude Code docs).
How do I run unattended without skipping everything?
Set a policy that auto-approves read-only and known-safe commands, gate the rest, and route the rare gate to your phone. That keeps the agent moving on its own while leaving you a real approval on anything that writes, deletes, deploys, or spends.
Run agents unattended without going blind. See how the policy engine works in the docs, or start from pricing and put one gate between your agent and the actions you would want to see first.