Is It Safe to Let Claude Code Auto-Accept Edits or Skip Permissions?

Short answer: yes, with one mode and one habit. Letting Claude Code accept edits without asking is fine if your project has a real undo underneath it. Skipping permissions entirely with --dangerously-skip-permissions is a different thing, and Anthropic's own docs say to keep it to throwaway containers. The trap is in the middle, where a single keypress quietly lets Claude delete files in your project without asking.

Let's make the modes plain, then make the prompts go away safely.

Why the prompt shows up at all

When Claude wants to edit a file, run a shell command, or hit the network, it pauses and asks you to approve. Press Shift+Tab in the CLI and you cycle through modes that change how often that pause happens. More oversight means more interruptions. Fewer interruptions means more trust. That tradeoff is the whole story, so the only real question is how much you can safely trade.

What each mode actually lets run without asking

Here is the honest version, straight from Anthropic's permission-modes docs:

• default (where you start): reads only. Claude pauses before every edit, command, and network request. Most interruptions, most safety.
• acceptEdits (one Shift+Tab away): auto-approves file edits and a short list of filesystem commands. This is the one with a surprise, below.
• plan: reads and proposes, makes no changes. Great for "tell me what you'd do" before anything runs.
• auto: runs almost everything, with a background classifier checking each action. Fewer prompts, real caveats (below).
• bypassPermissions (the --dangerously-skip-permissions flag, often called "YOLO mode"): no prompts, no checks, everything runs.

The surprise hiding in "accept edits"

Most beginners press Shift+Tab once, see ⏵⏵ accept edits on, and assume it only auto-approves harmless typing into files. Not quite. The docs are explicit: acceptEdits also auto-approves these filesystem commands inside your working directory: mkdir, touch, rm, rmdir, mv, cp, and sed.

Read that list again. rm is delete. mv can overwrite. cp can overwrite. So in accept-edits mode, inside your project folder, Claude can remove or replace a file without asking you first. Everything else (other shell commands, network calls, writes outside your project) still prompts, which is good. But the files you most care about, the ones in the project you are working on, are exactly the ones that mode stops guarding.

That is not a reason to avoid accept-edits. It is a reason to only turn it on once you have an undo. Because the mode doesn't give you one.

Plan mode: the safe way to go faster

If you want speed without the deletion risk, plan mode is underrated. Claude reads your code and writes out exactly what it intends to do, but changes nothing until you approve the plan. You get the "just handle it" feeling and a chance to catch a bad idea before it touches a file. For anything unfamiliar, start here.

"Auto mode" and the part Anthropic admits out loud

Newer Claude Code has an auto mode that runs almost everything while a separate classifier model reviews each action and blocks the scary ones: production deploys, mass deletion, curl | bash, force-pushing to main, actions driven by hostile content Claude read. It is a genuine step up from raw skip-permissions.

It is also, in Anthropic's own words, a research preview. Their engineering write-up reports the classifier had a 17 percent false-negative rate on real dangerous actions in testing, meaning it let through roughly one in six. They put it plainly: it is "not a drop-in replacement for careful human review on high-stakes infrastructure," and it is behavioral monitoring, not filesystem or network isolation. Translation: fewer prompts, not a safety net. Use it where you trust the direction, not as the thing standing between Claude and your only copy of something.

bypassPermissions / --dangerously-skip-permissions: containers only

bypassPermissions, which is what --dangerously-skip-permissions switches on, disables prompts and safety checks so every tool call runs immediately. The flag has "dangerously" in the name on purpose. Anthropic's docs say to only use it in isolated environments like containers, VMs, or dev containers without internet access, and warn it "offers no protection against prompt injection or unintended actions." There are a couple of hard circuit breakers left (it still refuses rm -rf / and rm -rf ~, and won't start as root), but that is the floor, not a fence. On the machine that holds your real work, this mode is not the move.

The gap no permission mode closes

Here is the thing every mode shares, and it is the part that actually bites people. Permission modes decide whether Claude asks. None of them keep a copy of your file.

So the moment a delete or overwrite goes through, whether you approved it in default mode, it slipped past in accept-edits, or auto mode's classifier missed it, there is no built-in undo. And the usual fallbacks have holes:

• /rewind only undoes Claude's direct edits inside the session. It never tracks terminal commands like rm or mv, so a deleted file is invisible to it. (Full breakdown here.)
• git can only restore what it had a snapshot of. Your .env, a local database, a brand-new file, anything git-ignored or never committed: git never saw it, so it can't bring it back.

That overlap, untracked files removed by a terminal command, is the exact spot where "Claude deleted my work" stories come from. No permission setting fixes it, because it is not a permissions problem. It is a backup problem.

How to turn off the prompts without the regret

You can absolutely run accept-edits (or auto mode) and enjoy the speed. Just put a real undo underneath it first. Three moves, easiest first:

1. Keep your project in a backup-synced folder. Dropbox, Google Drive, OneDrive, iCloud, or Time Machine on its location. Now every change keeps a recoverable history on its own.
2. Ask Claude to set up git and checkpoint before big changes. You don't need to learn git. Just say: "Set up git if it isn't already and commit a checkpoint now, so I have a safe point to return to." (More on this in How to back up before Claude Code edits.)
3. Add a net for the files git and rewind skip. This is the real gap: your .env, your local database, brand-new files. Undeletable is a tiny local add-on that saves a byte-for-byte copy of a file before Claude touches it, whether Claude edits it directly or removes it with a terminal command. If something goes wrong you type /restore. It runs locally (no account, no cloud), it's a one-time $19, and it protects files from the moment you install it forward, which is why the time to set it up is before you loosen the prompts, not after.

The plain rule

• Learning, or doing anything sensitive? Stay in default or plan mode.
• Want fewer prompts on code you're actively reviewing? accept-edits is fine, once you have version control plus a backup.
• --dangerously-skip-permissions? Containers and VMs only, never your real work.

Speed is great. Just don't buy it with your only copy of something.

Start with the free Claude Code Safety Checklist. It's the calm, plain-English, do-this-then-this setup that makes every mode above safe to use, and we'll email it to you so you have it before you flip the next switch. When you want the always-on net for the files rewind and git both miss, Undeletable is $19, one time, and lives quietly on your machine.

---

Related reading: Does Claude Code's /rewind Undo Deleted Files? · Claude Code Deleted My Files? How to Recover Them · The Beginner's Safety Guide to Claude Code