Claude Code --dangerously-skip-permissions: what it does and when to actually use it

If you've used Claude Code for more than a few hours, you've hit this wall:

Claude wants to execute: rm -rf ./dist && npm run build
Allow? [y/n]

Multiply that by 50 tool calls per session and you understand why --dangerously-skip-permissions exists.

But the name is scary. Let's unpack what it actually does — and how to use it without shooting yourself in the foot.

What the flag actually does

Without the flag, Claude Code prompts you before every:

• File write
• Shell command execution
• Process spawn
• Network request

With --dangerously-skip-permissions, all those prompts disappear. Claude executes every tool call immediately without waiting for your approval.

That's it. It's not bypassing any AI safety guardrails. It's bypassing the interactive confirmation prompts.

The actual risk

The risk is straightforward: Claude can now delete files, run arbitrary commands, and make network requests without asking first.

In your home directory on your main machine: don't use it.

In a proper sandbox: it's fine, and honestly how most serious Claude Code automation works.

Safe sandbox setup

Here's the pattern I use for any Claude Code session that touches production-adjacent code:

#!/bin/bash
# safe-claude.sh — sandbox wrapper for Claude Code

# Create isolated work directory
WORK_DIR=$(mktemp -d /tmp/claude-work-XXXXX)
echo "Working in: $WORK_DIR"

# Copy project to sandbox
cp -r "$1" "$WORK_DIR/project"
cd "$WORK_DIR/project"

# Set budget limits
export ANTHROPIC_MAX_TOKENS=50000

# Launch with skip-permissions in the sandbox
claude --dangerously-skip-permissions

# Show diff when done
echo "\n=== Changes made ==="
diff -r "$1" "$WORK_DIR/project" --brief

Usage:

chmod +x safe-claude.sh
./safe-claude.sh ./my-project

Now --dangerously-skip-permissions is fine — the worst case is a messed-up temp directory.

Docker isolation (the proper way)

For anything more serious:

# Dockerfile.claude-sandbox
FROM node:20-slim

# Install Claude Code
RUN npm install -g @anthropic-ai/claude-code

# Create non-root user
RUN useradd -m -s /bin/bash claudeuser
USER claudeuser
WORKDIR /home/claudeuser/project

# No network access to production systems
# Mount your project directory at runtime
CMD ["claude", "--dangerously-skip-permissions"]

# Run it
docker build -f Dockerfile.claude-sandbox -t claude-sandbox .
docker run -it \
  --network none \
  -v $(pwd):/home/claudeuser/project \
  -e ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY \
  claude-sandbox

The --network none flag means Claude can't make outbound requests. Combined with a non-root user, you've got a tight sandbox.

The CLAUDE.md approach (for trusted projects)

If you have a well-defined project with a known task scope, you can use CLAUDE.md to limit what Claude wants to do, even with skip-permissions enabled:

# CLAUDE.md

## Constraints
- Only modify files in ./src and ./tests
- Never delete files — only create or edit
- Never run git push or git commit
- Never install new packages without listing them first
- Log every shell command you run to ./claude-audit.log

This doesn't enforce anything technically — but Claude Code follows these instructions reliably. It's the "soft fence" approach.

The rate limit problem

Here's the other reason people reach for --dangerously-skip-permissions: when you're running long automated sessions, rate limits break the flow.

Claude Code pauses your session mid-task when you hit Anthropic's rate limits. With a fully automated pipeline (no human watching), this means your session just... hangs.

One workaround is to point ANTHROPIC_BASE_URL at a proxy that smooths out rate limits:

export ANTHROPIC_BASE_URL=https://simplylouie.com
export ANTHROPIC_API_KEY=your-key-here
claude --dangerously-skip-permissions

SimplyLouie is a flat-rate Claude proxy ($2/month) — no per-token billing, no rate limit interruptions. If you're running Claude Code in automation pipelines where a hung session costs you time, it's worth looking at.

When to use it — decision tree

Is this a sandbox/temp directory?
├── YES → --dangerously-skip-permissions is fine
│   └── Consider Docker for extra isolation
└── NO → Is it a trusted project you know well?
    ├── YES → Add CLAUDE.md constraints first, then consider it
    └── NO → Don't use it. Approve manually.

The automation pattern that actually works

For CI/CD or background automation:

#!/bin/bash
# claude-autorun.sh

set -e  # Exit on any error

# Git snapshot before Claude touches anything
git stash
git checkout -b claude-work-$(date +%s)

# Run Claude with the task
echo "$TASK" | claude --dangerously-skip-permissions --print

# Review the diff before merging
git diff HEAD~1
read -p "Merge these changes? [y/N] " confirm
[[ $confirm == [yY] ]] && git checkout main && git merge claude-work-$(date +%s)

The key pattern: git branch before, human review after. The middle can be fully automated.

---

The flag isn't dangerous if you're thoughtful about the environment it runs in. The name makes it sound like you're disabling safety systems — you're not. You're just skipping the interactive approval loop.

Set up a proper sandbox once. Then use skip-permissions freely inside it.