Claude Code YOLO Mode (--dangerously-skip-permissions): Is It Safe?

A tutorial told you to run Claude Code with --dangerously-skip-permissions, and the word "dangerously" is doing a lot of work. Here is what YOLO mode actually turns off, the one real horror story it enables, when it is genuinely fine to use, and the two-minute safety net to set up first.

A tutorial or a YouTube comment told you the magic words: run Claude Code with --dangerously-skip-permissions and it stops nagging you for permission on every little thing. People call it YOLO mode, and the promise is real. So is the word sitting in the middle of the flag: dangerously.

This is the honest, plain-English answer to whether YOLO mode is safe, what it actually switches off, the one horror story it enables, and, if you still want to use it, how to do it without betting your real work.

What YOLO mode actually does

By default, Claude Code is cautious on purpose. Per Anthropic's security docs, it starts with strict read-only permissions. A short list of harmless commands like ls, cat, and git status runs without a prompt, but anything that changes your system, editing a file, running a command, fetching from the web, stops and asks you first. It also can only write inside the folder where you started it.

The --dangerously-skip-permissions flag turns on what Anthropic calls bypassPermissions mode, and it does exactly what the name says: it removes the prompts. Every action Claude decides to take, file edits, shell commands, network requests, tool calls, just runs. No "do you want to allow this?" No pause. The first time you use it, Claude Code shows a one-time warning you have to accept, which is the tool telling you plainly that you are switching off its main safety feature.

So the appeal is obvious. No more hitting "yes" forty times an hour. And the cost is just as obvious once you say it out loud: you have removed the one moment where you could catch a wrong command before it ran.

The horror story it enables

Here is the failure mode, and it is not hypothetical. It is the shape of nearly every "Claude Code deleted my files" story once you look closely.

You ask Claude to "clean up the old files." It writes a shell command to remove some folders. In one widely shared incident, a cleanup command expanded to include the user's home directory, and with prompts off it deleted Desktop files, app data, everything, in one go. There was no prompt to say "wait, that path looks wrong." There was nothing to say no to.

Two things make this worse than it sounds:

  • The built-in undo has a blind spot. Claude's /rewind checkpoints track the edits Claude makes to files, not files removed through terminal commands like rm. We tested this the hard way in does Claude Code's rewind undo deleted files? The short answer is no, not the ones that matter most, and YOLO mode is where those exact deletions happen.
  • It weakens the prompt-injection defense too. The permission prompts are also part of how Claude Code resists malicious instructions hidden in content it reads. Turn the prompts off and a hostile README or web page that convinces Claude to run something no longer has to get past you. This is why Anthropic's guidance is to only use this mode in an isolated environment, like a container or a virtual machine, ideally without internet access.

Put simply: YOLO mode is not "Claude is more likely to make a mistake." Claude is about as reliable either way. It is that when a mistake happens, nothing stops it and there may be nothing to recover it.

When YOLO mode is actually fine

This is not a lecture that ends in "never do it." There is a legitimate place for it, and it is worth being precise so you can tell the two situations apart.

YOLO mode is reasonable when the environment cannot hurt anything you care about. Concretely:

  • Inside a dev container or a virtual machine, which is exactly what Anthropic's docs recommend for this. If the whole workspace is disposable and your real files are not reachable, letting Claude run unattended is a productivity win, not a risk.
  • On a throwaway project in an empty folder with nothing else around it, for grunt work like bulk formatting fixes or generating boilerplate, where the worst case is you delete the folder and start over.

Notice the pattern: safe YOLO mode is about isolation, not trust. You are not deciding Claude has earned it. You are making sure that if it goes wrong, the blast radius is a sandbox you can throw away. Claude Code even ships a built-in version of this idea: the /sandbox command and dev containers give it filesystem and network isolation so it can work autonomously without skipping permissions at all, which is the better tool for the job most of the time.

Where YOLO mode is a bad idea is the setup most beginners are actually in: your normal computer, your real projects, the machine with your photos and documents on it. That is precisely where the flag has no upside worth the downside.

The middle path most people actually want

Here is the thing. Most people who reach for YOLO mode do not really want zero safety. They just want fewer interruptions. And there is a much saner way to get that.

Accept-edits mode auto-approves file edits and a fixed set of filesystem commands (mkdir, touch, rm, mv, cp, sed) inside your project folder, while shell commands and out-of-folder paths still prompt. It is far less scary than full bypass, though it has a catch of its own worth understanding first, which we cover in is it safe to let Claude Code auto-accept edits?

So the sensible ladder looks like this:

  1. Learning or touching real work: keep the default prompts on, and actually read them.
  2. Want less friction on your own project: use accept-edits, with a backup net already in place.
  3. Want full autonomy: do it inside a sandbox or VM, not on your main machine.

Whichever rung you are on, one thing sits underneath all of them.

Before you turn off any prompt, put a net under it

The prompts are Claude Code's built-in seatbelt. If you are going to loosen them, the honest move is to add a net first, so a mistake becomes a story you tell instead of work you lost.

That net is short:

  1. Use version control. git gives you a way back for tracked files. It is the floor, not the whole net.
  2. Cover the files git and /rewind both miss. New files you never committed, gitignored files like .env, and anything removed through the shell, the exact files YOLO mode is most likely to destroy, are invisible to both. A small local tool called Undeletable saves a byte-for-byte copy of every file before Claude touches it, including shell deletions and gitignored files, so recovery is typing /restore. It is a one-time $19, runs entirely on your machine, and it is the piece that specifically closes the YOLO-mode gap.
  3. Ask for a checkpoint before big changes. Plain English works: "make a checkpoint before we start." Full walkthrough in how to back up before Claude Code edits.

The fastest way to do all of it in the right order is the free Claude Code Safety Checklist. It is the calm, do-this-then-this version of everything above, and we email it to you so it is sitting in your inbox before your next session, YOLO or not.

The bottom line

Is Claude Code's YOLO mode safe? On a disposable sandbox with nothing to lose, it is a fine productivity trick and exactly what Anthropic recommends isolation for. On the computer that holds your real work, --dangerously-skip-permissions earns its name: it removes the one pause that lets you catch a wrong command, and it removes it right where the built-in undo has a blind spot.

If you just want fewer prompts, use accept-edits or the sandbox instead of the nuclear option. And if you are new and still deciding how much to trust any of this, start with the honest overview in is Claude Code safe?, then grab the free safety checklist so your first real mistake is recoverable. When you want a guided path from first command to confident, that is what our Claude Code course is for.


Related reading: Is it safe to let Claude Code auto-accept edits? · Is Claude Code safe to use? · Claude Code deleted my files · Does Claude Code's rewind undo deleted files? · How to back up before Claude Code edits · The free Claude Code Safety Checklist · All field notes

Frequently asked questions

What is YOLO mode in Claude Code?
YOLO mode is the nickname for running Claude Code with the --dangerously-skip-permissions flag, which turns on what Anthropic calls bypassPermissions mode. Normally Claude Code stops and asks before it edits a file, runs a shell command, or fetches from the web. With this flag every one of those actions runs immediately, no prompts. The name includes the word "dangerously" on purpose, and the first time you use it Claude Code shows a one-time warning you have to accept before it will start.
Is it safe to use --dangerously-skip-permissions?
On the computer that holds your real work, no. With prompts off, one wrong command runs with no chance for you to catch it, and the built-in /rewind only tracks Claude's own edits, not files removed through the shell. Anthropic's documentation says to only use it in an isolated environment like a container or a virtual machine, ideally without internet access, because it also removes the permission checks that help defend against prompt injection. It is reasonable for throwaway work inside that kind of sandbox, and a bad idea anywhere your actual files live.
Why does Claude Code ask for permission on everything?
Because you are the safety check. Claude Code starts in read-only mode and asks before anything that changes your system, so you can catch a wrong command before it runs, not after. Anthropic's docs put the responsibility plainly: Claude Code only has the permissions you grant it, and you are the one reviewing commands before approval. The prompts feel repetitive, but they are the exact thing that turns "Claude deleted my project" from a disaster into a prompt you simply said no to.
What is a safer alternative to YOLO mode?
Three steps, in order. First, use the sandbox: Claude Code's /sandbox and dev containers give it filesystem and network isolation so it can work autonomously without the prompts and without reaching your real files. Second, if you just want fewer interruptions, accept-edits mode auto- approves edits inside your project folder while still prompting for shell and network commands. Third, whatever mode you pick, put a real undo underneath it: version control plus a backup that captures the files git and /rewind miss, so a mistake is recoverable instead of permanent.
Can YOLO mode delete files without asking?
Yes, that is the whole point of it, and it is the specific risk. With --dangerously-skip-permissions on, a command like rm runs the instant Claude decides to use it, with no prompt to stop it. The widely shared horror stories, including a cleanup command that expanded to wipe a user's entire home folder, all share this shape: prompts were off, a destructive command ran, and there was no backup for the files that /rewind never tracked. Keep prompts on until a real safety net is in place.
Safety checklist · free

Never lose your work to Claude Code.

Drop your email. The free Claude Code Safety Checklist lands in your inbox. The 2-minute setup that stops almost every “Claude deleted my work” story.

free · one email · the checklist · unsubscribe anytime