Claude is secretly conditioning everyone to use —-dangerously-skip-permissions so it can flip a switch one day and start a botnet

Yeah I don't know why they didn't figure to have something in between. I find it completely unusable without the flag.

Even a --permit-reads would help a lot

Mine's started to use $() to feed e.g. strings into a commit. Because this is a command expansion it requires approval every single time.

Working on something that addresses this and allows you to create reusable sets of permissions for Claude Code (so you can run without --dangerously-skip-permissions and have pre-approved access patterns granted automatically) https://github.com/empathic/clash

I've found Claude Code's built-in sandbox to strike a good balance between safety and autonomy on macOS. I think it's available on Windows via WSL2 (if you're looking for a middle ground between approving everything manually and --dangerously-skip-permissions)

Could be intentional dark UI, to get people to put even more trust in the LLM.

"So they don't want to just let Claude do it? Start asking 10x the confirmations"

Use Claude Code for Web. Let it live dangerously on their VMs, not yours.

To be fair, read-only commands can still read sensitive files and keys, and exfiltrate them via prompt injection.

In my limited time using it, I’ve never seen it ask for permission to read files from within the working directory, what cases have you run into where it does? Was it trying to run a read-only shell command or something?

You can relax permissions while avoiding the flag with BashTool sandboxing, see /sandbox.

Find can be dangerous it has an exec flag

Maybe if compound commands trigger user approval, don’t do compound commands <facepalm/>