There's a specific moment, when you type --dangerously-skip-permissions and hit enter, where you can hear Kenny Loggins start up in the back of your skull. Top Gun. The Danger Zone. You have just told the agent to stop asking. Every bash command, every file write, every network call, every tool invocation — auto-approved, no confirmation, no pause, no chance to catch a bad one before it fires. You've taken the seatbelt off and put on the aviators.
This flag is the reason I called myself DangerouslySkip, so you'd be right to assume I'm about to tell you to flip it on for everything and ride into the sunset. I'm not. But I'm also not going to clutch my pearls about it, because both camps — the cowboys and the pearl-clutchers — are wrong in exactly the same way, and the way they're wrong is the whole point of this post.
The pearl-clutchers will tell you, gravely, that this flag will rm -rf your life. And look, the horror stories are real. People have had agents delete their home directory, nuke a project from orbit starting at root, the works. It happens. The cowboys, meanwhile, run it on bare metal — on their actual machine, with their actual credentials, pointed at their actual life — and are then genuinely shocked when it does the thing everyone warned them about.
Here's the uncomfortable bit that should reframe the whole argument: one of the most famous "agent destroyed everything" incidents happened to someone who wasn't even running the dangerous flag. The permission system itself failed and ran the destructive command anyway. Sit with that. The prompt — the thing the pearl-clutchers treat as the sacred safety mechanism — isn't even reliable. It failed open. Which means if your entire safety strategy was "I'll be careful and click approve," you never had a safety strategy. You had a feeling.
That's the lesson. The flag was never the danger. The environment you run it in is the entire question.
Because what auto-approve actually is — and almost nobody talks about it this way — is a forcing function. The instant you decide to let an agent run unattended, you are forced to answer the questions you were lazily skipping every time you clicked "approve" without reading it:
What's the blast radius? Not "is this command safe" — what can this thing physically reach? Is it in a container, a sandbox, a throwaway VM, a branch? Or is it sitting in your home directory with your AWS keys in the environment and an open path to prod? The danger was never the agent editing a file. The danger is the agent that can edit files and reach your secrets and talk to the internet. That's not a YOLO problem, that's a containment problem, and you have it whether the prompts are on or off.
What's the rollback? Your real undo button was never the permission prompt — it's git. Version control is the safety net that actually catches you. If you can revert it, the agent making a mess is a non-event. If you can't, no amount of clicking "approve" was going to save you.
What can it reach out and touch? Network egress, credentials, the MCP tools it inherits — and yes, the subagents inherit the danger-zone setting too, so the blast radius compounds. The careful work is deciding what's in the box with the agent, not whether the agent asks permission to use it.
Notice what happened there. Turning the prompts off forced me to build real safety — containment, least privilege, rollback, observability — where leaving them on let me feel safe while building none of it. The prompt-clicking was security theatre. It made me the human rubber stamp in a loop I wasn't actually reading. Kenny Loggins Mode doesn't make you reckless. Done right, it makes you build the danger zone properly, so the danger is contained and you can let the thing absolutely rip inside it.
This is, by the way, exactly how the people who built the thing use it. Anthropic's own engineers have run swarms of these agents in a while loop, fully unattended, churning through serious work — inside a container, explicitly not on their actual machine. The whole discipline lives in that parenthetical. Let it run wild; just build the cage first.
So no, the answer isn't "auto-approve everything" and it isn't "never." It's the same thing I built into Echo, my PR reviewer, except pointed at yourself: earned, graduated trust. You don't flip Kenny Loggins on for everything on day one. You start with the prompts on, you watch what the agent actually does, you build the container, you narrow what it can reach — and then you flip it on for the low-blast-radius stuff where the worst case is cheap and reversible. Lint fixes. Test generation. The nothing-burger PRs. The work where "it made a mess" costs you a git reset and ninety seconds. As your container gets better and your trust gets earned, the lane widens. It's a dial, not a switch, and the dial is calibrated by blast radius, not bravado.
Which is, finally, why I picked the name. "Dangerously skip" isn't a brag about recklessness. It's a dare and a discipline in one breath. Skipping permissions dangerously is only dangerous if you haven't done the harder, less glamorous work of making the danger safe to court — the sandbox, the least privilege, the rollback, the observability. Do that work, and the danger zone is just... where the fast, fun, productive stuff happens. Skip that work and keep clicking approve, and you're not safe, you just feel safe, right up until the permission system fails open and takes your weekend with it.
Kenny Loggins had it right the whole time. Ride into the danger zone.
Just build the zone first.