Pushary

What Codex --yolo
actually does.

In OpenAI Codex CLI the flag that runs fully unattended is codex --dangerously-bypass-approvals-and-sandbox (aliased --yolo), which turns off both the approval prompts and the sandbox in one move. It is genuinely dangerous outside a locked-down VM: destructive commands and prompt injection run with no human able to intervene. The safer pattern is to keep the sandbox on and put a human gate on risky actions with Pushary, so approvals reach your phone and every decision lands in an audit trail.

The flag

codex --dangerously-bypass-approvals-and-sandbox (alias --yolo)

Turns off both the approval prompts and the sandbox in one move.

99,9%Zugestellt
Hacker NewsAuf Hacker News vorgestellt
3-4xvs E-Mail

What the flag actually does

Runs every command the model generates without any approval prompt and without the sandbox. It disables both guardrails at once: no per-command confirmation and no filesystem or network isolation. The older --full-auto flag is now deprecated in favor of --sandbox workspace-write, and the fully unattended path is either the dangerous bypass flag or the pair --ask-for-approval never --sandbox danger-full-access. OpenAI's own docs warn it should only run inside an externally hardened environment because a malicious project can exfiltrate anything reachable, including your Codex credentials.

Why people use it, and the real risk

With approvals and the sandbox both off, Codex will run destructive shell commands (rm, git reset --hard, force pushes, package installs, curl piped to shell) with no chance to stop it. Prompt injection is a live threat: a poisoned README, dependency, or web page the agent reads can steer it into running attacker commands, and there is no human in the loop to catch it. There is no per-command audit trail of what was approved, so after an incident you cannot reconstruct which action a human sanctioned because none were sanctioned. Credentials on the machine, SSH keys, and cloud tokens are all exposed to whatever the agent decides to do.

Three ways to run an agent

Full bypass keeps the agent moving but drops the gate. Babysitting keeps the gate but pins you to the keyboard. A phone gate keeps both.

ApproachAgent keeps movingDestructive actions gatedAway from the keyboardAudit trail
Full bypass (Codex)
Babysit the terminal
Pushary phone gate

The safer alternative

Keep --sandbox workspace-write (or read-only) so writes stay scoped, and route the moments that actually need a human past a phone gate instead of turning approvals off. Wire a PreToolUse hook or an MCP policy that classifies risky tools, and for those calls Pushary sends a push to your phone and blocks until you approve or deny from the lock screen. You get unattended speed on the safe majority and a real decision on the dangerous few, plus every question and answer is written to an audit log you can replay later. That is the difference between 'nobody was watching' and 'a human approved the delete at 2:14pm.'

Codex skip permissions questions

How do I make Codex CLI stop asking for permission?

The full bypass is codex --dangerously-bypass-approvals-and-sandbox (alias --yolo), which removes both approvals and the sandbox. If you only want to cut the prompts while keeping isolation, use --ask-for-approval never together with --sandbox workspace-write so writes stay inside the project. Reserve the full bypass for a disposable container. With Pushary you skip neither: the safe calls run and the risky ones ping your phone for a yes or no.

Is Codex --full-auto the same as dangerously skipping permissions?

No. --full-auto is now a deprecated compatibility flag that maps to --sandbox workspace-write, so it still keeps you inside the workspace sandbox. The true no-guardrails mode is --dangerously-bypass-approvals-and-sandbox, which also drops the sandbox. If you want unattended runs without dropping the sandbox, keep a human gate on risky tools and push those approvals to your phone.

How do I run Codex CLI unattended safely?

Run it in a throwaway container or VM if you use the bypass flag, never on your real machine with live credentials. A safer setup keeps --sandbox workspace-write and adds a Pushary policy so destructive tools (deletes, force pushes, network calls) pause and send a push you approve from your phone, while everything else proceeds. You keep the speed and get an audit trail of exactly what a human approved.

Run Codex unattended without skipping every permission.

Keep the agent moving, gate the risky calls, approve from your phone. Set up in two minutes.