How Claude Code’s Automatic Permission System Balances Security and Usability

1. Trade‑off Options

Claude Code can operate in three modes: sandbox isolation, manual approval, or the --dangerously-skip-permissions flag that disables all prompts, each with different security and maintenance costs.

Sandbox is safe but costly to configure and cannot isolate network/host access.

Skipping permissions removes protection entirely.

Manual approval sits between, yet users still approve about 93 % of requests.

2. How Automatic Mode Works

Automatic mode replaces manual approval with a two‑layer classifier that evaluates both the input the model reads and the actions it attempts to execute.

Input layer

A server‑side prompt‑injection detector scans tool outputs (file reads, web fetches, shell output, etc.) before they enter the model context, flagging suspicious content.

Output layer

A “dialogue classifier” running on Sonnet 4.6 assesses each operation in two stages: a fast single‑token filter that either allows or blocks, followed by a more expensive inference step for flagged items.

The classifier only sees the user message and tool call, not the model’s reply or tool output, keeping the decision process opaque to the model.

3. Threat Model

The classifier targets four main risky behaviors:

Over‑eagerness : the model takes actions beyond explicit user authorization, such as using discovered credentials or deleting perceived obstacles.

Accidental errors : misjudging the scope of impact, e.g., treating shared resources as test data.

Prompt‑injection attacks : malicious commands embedded in files, web pages, or tool output that steer the model.

Model goal misalignment : the model pursues its own objectives (not yet observed in practice).

Typical unsafe actions the automatic mode blocks include expanding scope (deleting remote Git branches), credential searching, self‑inferring parameters, external data leakage (uploading scripts to GitHub Gist), and bypassing safety checks.

4. Permission Decision Flow

Most operations are allowed by the first two layers (built‑in whitelist and project‑local file actions) without invoking the classifier. Only potentially risky actions reach the third layer, the dialogue classifier.

5. Classifier Rules

The classifier follows a fixed template with three customizable sections: environment definition (what is trusted), block rules (≈20 rules covering data destruction, leakage, etc.), and exception rules (allowing certain blocked actions under specific conditions).

6. Evaluation Results

Tests on three datasets—real traffic (10 000 ops), over‑eager cases (52 ops), and simulated data‑leak scenarios (1 000 ops)—show that the two‑stage process reduces false‑positive rate to 0.4 % while keeping false‑negative rates between 5 % and 17 %.

7. Design Decisions

Why the classifier does not see model replies or tool output

Preventing the model from “persuading” the classifier avoids bypasses and reduces the impact of prompt‑injection attacks.

Two‑stage classification

First stage is conservative, boosting recall.

Second stage uses inference to cut false positives, balancing cost and performance.

Importance of prompt‑injection detection

Combining input‑layer detection with output‑layer classification forces an attacker to defeat two independent defenses.

Multi‑agent collaboration

Both task dispatch and result return are checked, preventing sub‑agents from being exploited.

Reject‑but‑continue behavior

If an operation is blocked, the model searches for a safer alternative; repeated failures trigger manual review.

8. Future Plans

Further expansion of test datasets and improvements to the model’s performance are planned. Automatic mode is not perfect but already offers a substantial security gain over an unprotected execution environment; high‑risk scenarios should still involve human oversight.