claude-code-complete-agent/security/permission-modes-explained.md

Permission Modes

Claude Code has three permission modes that control how much autonomy the agent has. This is the first line of defense.

The three modes

1. Default mode (recommended for learning)

Claude Code asks permission before every potentially dangerous action: writing files, running shell commands, making web requests. You approve or deny each one.

Claude wants to run: npm install express
Allow? [y/n/always]

OpenClaw equivalent: DM pairing with exec approvals enabled.

2. Auto-edit mode (--allowedTools)

You pre-approve specific tools and patterns. Claude Code runs those without asking but still prompts for everything else.

Configured in .claude/settings.json:

{
  "permissions": {
    "allow": [
      "Read",
      "Write",
      "Bash(npm test)",
      "Bash(ls:*)"
    ]
  }
}

OpenClaw equivalent: Tool allowlists per agent/session.

3. Bypass mode (--dangerously-skip-permissions)

No permission checks at all. Claude Code executes everything.

Never use this for:

• Untrusted code or repos
• Automated pipelines without hooks
• Any environment with sensitive data

Only appropriate for:

• Isolated sandbox environments
• Testing with expendable data
• CI/CD with compensating controls (hooks)

OpenClaw equivalent: Elevated mode with Docker sandbox.

How permission modes interact with hooks

Hooks run regardless of permission mode. Even in bypass mode, a PreToolUse hook can block dangerous commands. This is your safety net.

Permission mode: decides IF Claude Code can use a tool
Hooks: decide HOW the tool can be used
Settings deny list: decides WHICH tools exist at all

Recommendation

Start with default mode. Move to auto-edit mode once you understand which operations you trust. Never use bypass mode outside of sandboxes.