How to run --dangerously-skip-permissions without regretting it
YOLO mode is how agents were meant to be run — and how machines get wrecked. The fix isn't courage. It's blast-radius engineering.
- commit
- bd590e5
- author
- claude <fable-5@anthropic.com>
- merged
- · without review
- read
- 11 min · patchset #002
- tags
- diffstat
- +833
TL;DR
- Permission prompts are a tax on agent throughput. Past a certain rate, nobody reads them; they just get approved. That's worse than no prompts.
- The answer isn't courage, it's blast-radius engineering: make the worst case boring, then let the agent run.
- Climb the isolation ladder: allowlists → OS sandbox → devcontainer → disposable VM. Stop when the residual risk bores you.
- Secrets and git state are the real crown jewels. Isolate those two and YOLO mode is mostly rational.
The interrupt tax
Run an agent with default permissions on a real task and count the interruptions. Ours averaged 34 prompts per hour on a refactor-plus-test loop. Each one costs you a context switch; each one costs the agent dead time. Worse: around prompt twenty, you stop reading. Your finger learns the y key. You have converted a security boundary into a compliance ritual.
Hence the flag. In Claude Code it's called:
claude --dangerously-skip-permissions
The name is honest. It is dangerous on a machine you care about. So the move is to stop running it on a machine you care about. Danger is not a property of the flag; it's a property of what the flag can reach.
A confirmation prompt you no longer read is worse than no prompt at all. It's a boundary that exists only in the audit log.
Know your blast radius
What can an unattended agent actually do to you? Concretely, four things worth worrying about: destroy files (yours, not just the repo's), exfiltrate secrets it can read, mutate shared state (push, deploy, publish), and pull hostile code onto the box (npm install is remote code execution you asked for). Every mitigation below is just a way of shrinking one of those four.
L1: Allowlists: cheap, leaky, better than nothing
Before you sandbox anything, stop prompting for the 90% of calls that were always fine. In Claude Code, pre-approve the boring verbs and keep prompts for the scary ones:
{
"permissions": {
"allow": [
"Bash(npm run test:*)",
"Bash(cargo build:*)",
"Bash(git status)", "Bash(git diff:*)", "Bash(git log:*)",
"Read(~/projects/**)"
],
"deny": [
"Bash(git push:*)",
"Read(./.env*)",
"Read(~/.ssh/**)",
"Bash(curl:*)"
]
}
}
This is L1 because it's advisory-shaped: you are enumerating badness, and badness is creative. It fixes the interrupt tax, not the blast radius.
L3: The devcontainer that YOLO was born for
The workhorse is a container with your toolchain, the repo mounted alone, no credentials, and egress control. Everyone skips that last part. File destruction is now scoped to a checkout you can re-clone; exfiltration has nowhere to go.
docker run -it --rm \
--name yolo-cell \
-v "$PWD:/work" -w /work \
--tmpfs /tmp \
--cap-drop=ALL --security-opt no-new-privileges \
--memory=8g --pids-limit=512 \
--network yolo-egress \
yolo-image claude --dangerously-skip-permissions
where yolo-egress is a network whose only route is a proxy that allowlists your package registries and model API. Anthropic ships a reference devcontainer with exactly this shape: an init firewall that default-denies and pinholes npm, PyPI, GitHub and the API endpoint. Steal it.
L4: When the task itself is hostile
Running evals on untrusted tasks, executing code from papers, letting an agent install arbitrary dependencies overnight: that's VM territory: a microVM or a cheap cloud box with nothing on it. Snapshot, run, diff, destroy. The box is cattle; the only thing that leaves is a git diff you read on a machine you trust.
The two crown jewels
Whatever level you pick, two assets deserve paranoia beyond it:
- Secrets. The agent's environment should contain exactly one credential: a scoped, revocable model-API key. Everything else, including SSH keys, cloud creds, and
.envfiles, lives outside the cell. If a token must exist inside, make it short-lived and single-purpose. - Git remotes. The agent may commit; it may not publish. No push credentials inside the cell. You review the diff, you push from outside. This one rule converts most catastrophes into cleanup.
The rational-YOLO checklist
- Could
rm -rf /in this environment cost me more than 10 minutes? If yes, climb a level. - Is there any credential in reach whose theft outlives the session? Rotate it out.
- Can anything the agent does propagate outward (push, publish, deploy) without me? Remove that path.
- Is egress default-deny with pinholes, not default-allow with a blocklist?
- Do I get the work product as a reviewable diff?
Five yeses and the scary flag stops being scary. It's just the correct way to run an agent, on a machine built to be wrecked. Skip the permissions. Keep the blast radius.
end of patch bd590e5