Pushary

What Gemini CLI --yolo
actually does.

In Google Gemini CLI the unattended flag is gemini --yolo (equivalently --approval-mode yolo), which auto-approves every tool call, with Ctrl+Y toggling it inside a session. It runs destructive commands and injected instructions with no human in the loop, and the default sandbox isolates but does not re-add approval. The safer pattern is to stay in default or auto_edit mode and gate risky tool calls through Pushary, pushing approvals to your phone with a full audit trail.

The flag

gemini --yolo (equivalently --approval-mode yolo)

Auto-approves every tool call for the whole session.

99,9%Zugestellt
Hacker NewsAuf Hacker News vorgestellt
3-4xvs E-Mail

What the flag actually does

The --yolo flag (or --approval-mode yolo) sets Gemini CLI's approval mode to yolo, which auto-approves every tool call, so file edits and shell commands run with no confirmation. It sits at the far end of a three-mode scale: default prompts on each tool call, auto_edit auto-approves edits but still prompts for other tools, and yolo approves everything. You can also toggle it mid-session with Ctrl+Y. Gemini enables its sandbox when you use --yolo by default, but the sandbox only isolates, it does not restore the human approval you just removed.

Why people use it, and the real risk

With every tool call auto-approved, Gemini will execute destructive shell commands and file changes without pausing for a human, so one bad plan step or a misread instruction runs immediately. Prompt injection is the sharp edge: content the agent reads (a repo file, an issue, a fetched page) can carry instructions that become auto-approved tool calls, and nobody is asked. There is no per-command approval trail because approvals are switched off wholesale, so after an incident you cannot point to a human decision. Even with the default sandbox on, anything the agent can reach inside that environment, including tokens and workspace data, is fair game.

Three ways to run an agent

Full bypass keeps the agent moving but drops the gate. Babysitting keeps the gate but pins you to the keyboard. A phone gate keeps both.

ApproachAgent keeps movingDestructive actions gatedAway from the keyboardAudit trail
Full bypass (Gemini CLI)
Babysit the terminal
Pushary phone gate

The safer alternative

Prefer default or auto_edit mode so edits can flow but real actions still ask, then put the asking on your phone instead of your terminal. A PreToolUse hook or MCP policy classifies each tool call and, for the risky ones, Pushary sends a push and blocks until you approve or deny from the lock screen. The safe majority runs unattended, the dangerous few get a human yes or no, and every question and answer is recorded so you have an audit trail. That keeps the automation speed of yolo without the 'no one was watching' failure mode.

Gemini CLI skip permissions questions

How do I enable YOLO mode in Gemini CLI?

Start it with gemini --yolo, or use --approval-mode yolo, to auto-approve all tool calls; inside a running session you can toggle it with Ctrl+Y. This removes every confirmation, so it belongs only in disposable or sandboxed environments. If you want automation without giving up the human check, keep default or auto_edit mode and route risky calls to your phone with Pushary.

How do I make Gemini CLI auto-approve all commands?

The auto-approve setting is yolo, reached with the --yolo flag or --approval-mode yolo, which approves file edits and shell commands with no prompt. A middle option is auto_edit, which auto-approves edits but still asks before other tools run. Better yet, keep approvals on for anything destructive and have Pushary deliver those approvals to your phone, blocking until you answer and logging the result.

Is Gemini CLI --yolo safe to run unattended?

Only in an isolated or throwaway environment like a CI container or VM, never on a system with sensitive data or live credentials, because yolo mode executes injected or destructive commands with no human able to intervene. For everyday unattended runs, keep default or auto_edit approval and add a Pushary policy that pushes the risky decisions to your phone and keeps an audit trail of what was approved.

Run Gemini CLI unattended without skipping every permission.

Keep the agent moving, gate the risky calls, approve from your phone. Set up in two minutes.