--dangerously-skip-permissions is the only safe mode

There's a flag in Claude Code called --dangerously-skip-permissions. Despite the name, I'm more nervous about engineers that are not using it. If you're using the default "permissions" mode, your Claude setup is probably unsafe.

--dangerously-skip-permissions lets your agent do anything it wants with the machine it's running on. Sounds dangerous! After all, Claude could do some serious damage with that DATABASE_URL in your env files!

By default, Claude asks for your permission before doing anything: running a script, deleting a file, making a network request. Sounds sensible! Trusted humans stay in the loop!

But watch what actually happens when you use it for just a few minutes ...

First, it asks to write a script to a file. Okay, writing files is safe! Approve. Now Claude is it's asking to run that script. Okay, script looks safe. Approve. Hm, the script has an error. Claude edits it and asks to re-run. Read the diff, approve.

After a handful of these, I start feeling: this is really hard work, and the last 10 were all fine. It's probably fine; approve.

I am now effectively in --dangerously-skip-permissions mode, except I'm required to be at the keyboard to skip the permissions. This is called approval fatigue, and it's the reason that the default permissions mode is worse than --dangerously-skip-permissions.

So, if this "approval" system doesn't work, what does? The correct approach is auth.

In normal IT systems for humans at work, how do we solve this problem? We use a system called auth. Bob gets an access token, uses it to make requests like "give me this file", and the service authorizes it based on a policy like "Bob owns this file".

Bob's permissions are crafted to balance two things: Bob needs access to be productive, but Bob can also make mistakes, turn disgruntled, or lose his laptop.

Bob can write and run any scripts he likes on his machine. No other humans are reading or approving those scripts. Instead, an auth policy is enforced by services that the script talks to. And the auth policies do not get tired.

The agent problem has the same shape: agents can be very helpful, but they can also turn stupid or malicious or both. And we can't afford to have humans watching over everything they do.

So the equivalent of auth for Claude Code is ... auth. You give him credentials, then let him run any scripts he likes with them.

Now, suppose you have two colleagues: Bob uses Claude in regular permissions mode, and Alice uses Claude with --dangerously-skip-permissions. Who is more likely to cause a production incident?

It's Bob that makes me more nervous: the fact that he's uncomfortable with --dangerously-skip-permissions means he knows the machine has more powerful credentials than he's comfortable with Claude using. He's trying to verify everything Claude does, and eventually he will slip.

This is why --dangerously-skip-permissions is the safer mode. It forces you to use a working permissions system for your agent: an auth system, not an approval system.