Remote OpenClaw Blog
Claude Code YOLO Mode: Skip Permissions Safely in 2026
8 min read ·
Claude Code YOLO mode is the community name for running Claude Code with the --dangerously-skip-permissions flag, which puts the session in bypassPermissions mode so tool calls execute immediately without permission prompts. It is sane inside an isolated container or CI runner and reckless on a host machine holding your real credentials, and since 2026 Claude Code ships two better middle grounds, auto mode and the Bash sandbox, that remove most prompts without removing the safety net.
What Is Claude Code YOLO Mode?
YOLO mode is bypassPermissions, the loosest of Claude Code's six permission modes, in which permission prompts and safety checks are disabled so every tool call executes immediately. In the other five modes (default, acceptEdits, plan, auto, dontAsk), Claude pauses for approval before risky actions and never auto-approves writes to protected paths like .git and .claude. YOLO mode drops all of that; since v2.1.126 it even allows protected-path writes that earlier versions still prompted for, per the official permission modes documentation.
Three checks survive even here. Explicit ask rules in your permission settings still force a prompt. Removals targeting the filesystem root or your home directory, like rm -rf / and rm -rf ~, still prompt as a circuit breaker against model error. And PreToolUse hooks that return a deny decision still block, because hooks fire before any permission-mode check; that combination of YOLO mode plus deny hooks is covered in our Claude Code hooks guide.
The docs are unambiguous about the intended habitat: "Only use this mode in isolated environments like containers, VMs, or dev containers without internet access, where Claude Code cannot damage your host system."
How to Enable It: Flag and Settings
YOLO mode must be enabled at launch; you cannot switch into bypassPermissions from a session that started without one of the enabling flags. The three ways in, verified against the CLI reference as of July 2026:
# Start directly in YOLO mode
claude --dangerously-skip-permissions
# Equivalent long form
claude --permission-mode bypassPermissions
# Start in plan mode, but add bypassPermissions to the
# Shift+Tab cycle so you can switch to it later
claude --permission-mode plan --allow-dangerously-skip-permissions
To make it a persistent default (only sensible inside a disposable environment), set it in a settings file:
{
"permissions": {
"defaultMode": "bypassPermissions"
}
}
Two guard rails on enabling. On macOS and Linux, Claude Code refuses to start with the error --dangerously-skip-permissions cannot be used with root/sudo privileges for security reasons; the check is skipped automatically inside a recognized sandbox, and Anthropic's dev container reference exists precisely so autonomous runs happen as a non-root user in a container. And Claude Code on the web silently ignores defaultMode: "bypassPermissions" from settings files, so a repository's checked-in config cannot start a cloud session in YOLO mode. Administrators can ban the mode fleet-wide by setting permissions.disableBypassPermissionsMode to "disable" in managed settings.
When YOLO Mode Is Sane vs Reckless
The dividing line is blast radius: YOLO mode is reasonable exactly when the environment already limits what a bad command can destroy or exfiltrate. A permission prompt is a safety net; remove it only where a fall cannot hurt you.
| Environment | YOLO mode? | Why |
|---|---|---|
| Dev container or Docker sandbox with no secrets | Sane | Disposable filesystem, non-root user, controllable network egress |
| CI runner on a throwaway VM | Sane | Fresh environment per run; combine with -p, --max-turns, and --max-budget-usd |
| Cloud sandbox / ephemeral VM | Sane | Isolation is the point; snapshot and destroy afterward |
| Your laptop, personal side project, git-committed | Borderline | Git protects code, but your SSH keys, browser sessions, and ~/.aws are all in reach |
| Host machine with production credentials | Reckless | One injected instruction from a README, web page, or MCP result can run with full permissions |
| Anything processing untrusted content | Reckless | The docs state the mode "offers no protection against prompt injection" |
The CI case is genuinely strong: in headless -p runs there is no human to answer prompts anyway, so the choice is between bypassPermissions, dontAsk with a strict allowlist, or a permission-prompt MCP tool. For a disposable runner, the flag plus budget caps is a defensible default; on shared infrastructure, dontAsk is the more honest tool.
Safer Middle Grounds: Modes and Allowlists
Most people reaching for YOLO mode want fewer interruptions, not zero oversight, and Claude Code's permission system now offers several intermediate settings that deliver exactly that. The full ladder, from most to least supervised:
| Mode | What runs without asking | Best for |
|---|---|---|
default | Reads only | Sensitive work, getting started |
plan | Reads only; Claude proposes, never edits | Exploring before changing |
acceptEdits | Reads, file edits, and common filesystem commands in scope | Iterating on code you review via git diff |
auto | Everything, with a background classifier reviewing each action | Long tasks without prompt fatigue |
dontAsk | Only pre-approved tools; everything else auto-denied | Locked-down CI and scripts |
bypassPermissions | Everything | Isolated containers and VMs only |
Two of these deserve emphasis. Allowlists let you keep default mode but pre-approve the commands you trust: add rules like Bash(npm test) and Bash(git diff *) via /permissions, the --allowedTools flag, or permissions.allow in settings, and the built-in /fewer-permission-prompts skill will even mine your transcripts and propose an allowlist. Deny rules apply in every mode, including YOLO mode.
Auto mode, introduced with Claude Code v2.1.83, is Anthropic's direct answer to YOLO mode: a separate classifier model reviews each action and blocks things like curl | bash, force pushes, production deploys, and credential exfiltration while routine work flows uninterrupted. Anthropic's engineering deep dive on auto mode details how the classifier is shielded from hostile tool results. The official warning on bypassPermissions says it plainly: for background safety checks with far fewer prompts, use auto mode instead. See the commands cheat sheet for the Shift+Tab cycle and /permissions workflow.
Sandboxing: Prompts Off, Walls Up
Claude Code's built-in Bash sandbox flips the model: instead of approving each command, you define which files and network domains commands can touch, and the operating system enforces that boundary. Run /sandbox in a session to enable it. On macOS it uses the built-in Seatbelt framework with nothing to install; on Linux and WSL2 it uses bubblewrap plus socat. By default, sandboxed commands can write only to the working directory and session temp directory, and no network domains are pre-allowed; the first request to a new domain prompts once, or you pre-approve with sandbox.network.allowedDomains.
In auto-allow mode, sandboxed commands run without prompting at all, which captures most of YOLO mode's speed while the OS-level wall holds even if an allowed command does more than its name suggests. The key difference from --dangerously-skip-permissions: the sandbox replaces the prompt with an enforced boundary, YOLO mode replaces it with nothing. For fully unattended agents, the strongest stack is a dev container or VM for isolation, the sandbox for defense in depth, deny rules and hooks for policy, and only then the skip flag. Our Claude Code best practices guide walks through that layering.
Limitations You Cannot Configure Away
No flag or setting makes YOLO mode safe against prompt injection, and Anthropic says so directly: bypassPermissions "offers no protection against prompt injection or unintended actions." If Claude reads a hostile instruction planted in a README, an issue comment, a web page, or an MCP tool result, there is no prompt left to catch the resulting command. The mitigation is environmental (isolation, no secrets, no network) rather than configurational.
Also worth knowing before you alias claude to the flag, as many people do: the alias caused a real bug class where subcommands after a leading --dangerously-skip-permissions were treated as prompts, fixed for daemon in v2.1.199, so keep the alias for interactive use and call the plain binary in scripts. Sandbox network filtering, if you use it as your wall, allows by hostname without inspecting TLS, so broad domains like github.com can still be an exfiltration path. And on shared or work machines, check with your admin first; if disableBypassPermissionsMode is set in managed settings, the flag simply will not work.
Related Guides
- Claude Code Hooks: Setup, Events, and Real Examples
- Claude Code Commands: The Complete Cheat Sheet (2026)
- Claude Code Best Practices in 2026
- Claude Code Guide: CLI, Desktop, Web, and Real-World Fit
Go deeper
The operator playbooks
Production-ready PDF guides for OpenClaw and Hermes Agent — $19.99 each.
Skills for this topic
Browse all skills →Frequently Asked Questions
What is YOLO mode in Claude Code?
YOLO mode is the informal name for running Claude Code with --dangerously-skip-permissions , which starts the session in bypassPermissions mode. Permission prompts and safety checks are disabled and tool calls execute immediately, with only explicit ask rules, deny hooks, and a circuit breaker for rm -rf / and rm -rf ~ still standing.
How do I skip all permissions in Claude Code?
Launch with claude --dangerously-skip-permissions or claude --permission-mode bypassPermissions . To make it the default in a disposable environment, set "permissions": {"defaultMode": "bypassPermissions"} in settings. You cannot switch into this mode mid-session unless it was enabled at launch, and it refuses to run as root outside a recognized sandbox.
Is dangerously-skip-permissions safe?
Only in isolated environments. Anthropic's documentation says to use it exclusively in containers, VMs, or dev containers, ideally without internet access, because it offers no protection against prompt injection or unintended actions. On a host machine with real credentials, prefer auto mode, allowlists, or the sandbox.
What is the difference between YOLO mode and auto mode?
Auto mode removes routine prompts but runs a separate classifier model that reviews each action and blocks dangerous ones like curl | bash , force pushes, and production deploys. YOLO mode removes the prompts and the checks. Anthropic explicitly recommends auto mode over bypassPermissions when what you want is fewer interruptions.

