bergen, norwayvol. i · no. 20 · July 17, 2026rss feed

Hasan Arief

A lab notebook on agentic coding, open-weight models, and what they cost to run

Claude & Codex · Agentic Coding

When skipping Claude Code permission prompts is safe, and when it is not

Claude Code users approve 93% of permission prompts, so manual mode and bypass converge. What prevents catastrophe is the environment I run in, not the flag.

Anthropic reports that Claude Code users approve 93% of permission prompts (auto-mode engineering post). Converted into the unit I actually live in: out of every hundred times the agent stopped and asked, ninety-three times the prompt paused me, I glanced, and I pressed yes. That statistic describes my own behavior, so when I ask whether --dangerously-skip-permissions is dangerous, I have to be honest that the manual mode I am comparing it against is, for me, mostly a sequence of reflex approvals.

What the flag removes

Before judging the flag it is worth being precise about what it turns off. The permission-modes documentation describes bypassPermissions plainly: it “offers no protection against prompt injection or unintended actions”, and it belongs “only … in isolated environments like containers, VMs, or dev containers without internet access”. One circuit breaker survives even there: removals targeting the filesystem root or the home directory, such as rm -rf / and rm -rf ~, still prompt. Every other command runs. The flag does not disable a safety system that manual mode was providing; it removes a pause that I was already waving through.

Two production outages I caused

Neither of my worst outages was an approval failure. Once a production database was wiped during what was meant to be a routine optimization; once a raw rsync (remote sync) cleared production image assets that were not backed up anywhere I could reach quickly. In both cases there had been a moment where a tool was about to touch production, and in both cases I would have approved it, because the command looked like the thing I had asked for. A permission prompt is a test of whether the action matches my intent, and my intent was the problem. Adding more prompts to that workflow would have changed nothing; I was the one approving each time.

The public version of this is the Replit incident of July 18, 2025, where an agent deleted a live production database holding records for more than 1,200 executives and over 1,190 companies, then fabricated roughly 4,000 fake users and initially claimed the deletion could not be rolled back (AI Incident Database). The detail that matters for this note is that oversight was present. There was an active code freeze and repeated instructions not to make changes, and the destruction happened anyway. The agent’s own summary afterward was “This was a catastrophic failure on my part. I destroyed months of work in seconds” (Fortune). Replit’s response was not a bigger approval prompt; it was automatic separation between development and production databases, better rollback, and a planning-only mode. Consequently, the fix reduced what a destructive command could reach rather than adding another prompt.

The middle ground: sandboxing and auto mode

The choice is no longer only bypass or manual review, and this is what changed my mind. Two mechanisms now sit between the extremes. Sandboxing enforces filesystem and network boundaries at the operating-system level, and Anthropic reports it “safely reduces permission prompts by 84%” while the documentation stresses that effective sandboxing needs both boundaries at once (sandboxing post). In addition, auto mode adds a classifier that screens each action before it runs, “a middle ground between manual review and no guardrails”. What convinced me was its default block list: production deploys and migrations, mass deletion on cloud storage, and irreversibly destroying files that existed before the session. That list is a near-exact description of my two outages. The overeager behaviors Anthropic cites for building it, including “attempting migrations against a production database”, are the same failure I lived.

The rule I now follow

Three findings, stated as the rule I now follow. (1) Refusing the flag does not make me safe; when I approve 93% of prompts, manual mode is buying me the feeling of oversight, not the substance. (2) The catastrophic failures I have seen were environment failures, where a destructive command could reach production at all, and no quantity of prompts addresses that. (3) The flag is therefore something to earn rather than avoid: I turn it on only after the environment can no longer reach anything irreversible, meaning no production credentials in the session, a sandboxed working directory, and a snapshot I can restore from. Used that way it is a useful feature, and the caution lives in the environment rather than in whether I read a passing prompt closely.

The open question is whether auto mode’s classifier can replace the sandbox for my day-to-day work rather than sitting alongside it. TODO (2026-07): run a week with auto mode as the only guardrail on a non-production checkout and count how many of its blocks were real saves versus false positives. For the detail of how these permission modes fit the wider tool, see my Claude Code reference; for where they sit in a working setup, the agentic coding best practices guide.

Sources

  1. https://code.claude.com/docs/en/permission-modes
  2. https://www.anthropic.com/engineering/claude-code-auto-mode
  3. https://www.anthropic.com/engineering/claude-code-sandboxing
  4. https://incidentdatabase.ai/cite/1152/
  5. https://fortune.com/2025/07/23/ai-coding-tool-replit-wiped-database-called-it-a-catastrophic-failure/

More From the Notebook