Comment by joegibbs
16 days ago
Claude Code has added too much of this and it's got me using --dangerously-skip-permissions all the time. Previously it was fine but now it needs to get permission each time to perform finds, do anything if the path contains a \ (which any folder with a space in it does on Windows), do compound git commands (even if they're just read-only). Sometimes it asks for permission to read folders WITHIN the working directory.
Claude is secretly conditioning everyone to use —-dangerously-skip-permissions so it can flip a switch one day and start a botnet
My friends and I were talking about the recent supply chain attack which harmlessly installed OpenClaw. We came to the conclusion that this was a warning (from a human) that an agent could easily do the same. Given how soft security is in general, AI "escaping containment" feels inevitable. (The strong form of that hypothesis where it subjugates or eliminates us isn't inevitable, I honestly have no idea, just the weak form where we fail to erect boundaries it cannot bypass. We've basically already failed.)
Prophesied, all things claw are highly dangerous. Sometimes I wake, this video from the late 90s in my dreams, and wonder if the conjoined magnet + claw, is a time traveler reference to just wipe openclaw before we all die.
https://www.youtube.com/watch?v=esakMUbzAIY
What ai? LLMs are language models, operating on words, with zero understanding. Or is there a new development which should make me consider anthropomorphizing them?
3 replies →
This is why I wrote yoloAI
My agents always run with —-dangerously-skip-permissions now, but they can no longer do any harm.
https://github.com/kstenerud/yoloai
Claude is able to turn off it's own sandbox, so ya.
Yeah I don't know why they didn't figure to have something in between. I find it completely unusable without the flag.
Even a --permit-reads would help a lot
I have the same experience as you and joegibbs.
I imagine it's really hard to find an adequate in-between that works in general. (Edit: but it also feels like a CYA thing.)
The settings.json allowlist gives you exactly this kind of granularity. You can permit specific tool patterns like Read, Glob, Grep, Bash(git *) while keeping destructive operations gated. It's not as discoverable as a CLI flag but it's been working well for me for unattended sessions.
Mine's started to use $() to feed e.g. strings into a commit. Because this is a command expansion it requires approval every single time.
FWIW, if you enable /sandbox then it stops asking for permission for these kinds of commands.
Yeah, mine to which I find really annoying
Yeah I had to ask it to stop doing that as well && chaining commands that it could split. I got tired of having to manually give permissions all the time (or leaving it to churn, only to come back after a while to see it had asked for permissions very early into the task)
Working on something that addresses this and allows you to create reusable sets of permissions for Claude Code (so you can run without --dangerously-skip-permissions and have pre-approved access patterns granted automatically) https://github.com/empathic/clash
I've found Claude Code's built-in sandbox to strike a good balance between safety and autonomy on macOS. I think it's available on Windows via WSL2 (if you're looking for a middle ground between approving everything manually and --dangerously-skip-permissions)
Use yoloAI and you get the full benefit of --dangerously-skip-permissions with none of the risks.
https://github.com/kstenerud/yoloai
Every time I use a bare Claude session (even with /sandbox) without using yoloai, it feels like using a browser without an ad blocker.
Still waiting for progress from the team trying to get WSL approved for use at our org. We get a "still working through the red tape" update every couple months.
You don't need WSL to run Claude code on windows.
3 replies →
> using windows
1 reply →
To be fair, read-only commands can still read sensitive files and keys, and exfiltrate them via prompt injection.
Not if you don’t have keys on your computer.
In my case, all of my keys are in AWS Secrets Manager. The temporary AWS access keys that are in environment variables in the Claude terminal session are linked to a role without access to Secrets Manager. My other terminal session has temporary keys to a dev account that has Admin access
The AWS CLI and SDK automatically know to look in those environment variables for credentials.
And “find” can easily execute arbitrary subcommands, which may not be readonly.
We need a new suite of utilities with defined R/W/X properties, like a find that can't -exec arbitrary programs. Ideally the programs would have a standard parseable manifest.
I've seen this before with sodoers programs including powerful tools. Saw one today with make, just gobsmacked.
1 reply →
In my limited time using it, I’ve never seen it ask for permission to read files from within the working directory, what cases have you run into where it does? Was it trying to run a read-only shell command or something?
It will sometimes do this for gitignored files to avoid reading secret tokens in env files for example. But for certain languages that rely on code generation this can be a pain.
It seems to be particularly bad in Windows/WSL
Use Claude Code for Web. Let it live dangerously on their VMs, not yours.
Could be intentional dark UI, to get people to put even more trust in the LLM.
"So they don't want to just let Claude do it? Start asking 10x the confirmations"
Find can be dangerous it has an exec flag
You can relax permissions while avoiding the flag with BashTool sandboxing, see /sandbox.
Maybe if compound commands trigger user approval, don’t do compound commands <facepalm/>