Big Idea

The argument in one line.

Auto mode resolves the productivity-vs-safety tradeoff in Claude Code by running a classifier before every tool call, letting safe actions proceed unattended while blocking destructive ones before they execute.

Who This Is For

Read if. Skip if.

READ IF YOU ARE…

You run Claude Code for long or complex tasks and get constantly interrupted by permission prompts asking you to approve individual file writes and bash commands.
You have used dangerously skip permissions to get uninterrupted sessions but felt uneasy about what Claude might do without guardrails.
You are on the Claude Team plan and want to enable a research preview feature now, before it rolls out to Enterprise and API users.

SKIP IF…

You are not using Claude Code — this video is narrowly focused on one permission setting in the Anthropic CLI and has no broader applicability.
You already manage a project-level settings.local.json with a tuned allow/deny list and are satisfied with that level of control.

TL;DR

The full version, fast.

Claude Code defaults to conservative permissions that pause execution every time it wants to edit a file or run a bash command — useful for safety, painful for long autonomous tasks. Dangerously skip permissions removes all guardrails and is the common workaround, but it carries real risk. Auto mode is the engineered middle path: before each tool call, a classifier checks for destructive intent (deletes, sensitive data, prompt injection) and either runs the action silently or surfaces a prompt. Safe moves like file reads, grep, and non-destructive edits run automatically; risky moves get blocked or escalated. The tradeoff is slightly higher session cost due to the extra inference on each tool call. Currently a research preview for Claude Team plan users; rollout to Enterprise and API is coming.

Members feature

Chat with this breakdown.

Modern Creator members can chat with any breakdown — ask for the hook, quote a framework, find the exact transcript moment. Unlocks at T2: refer 3 friends + add your own API key.

Create a free account →

Chapters

Where the time goes.

00:00 – 00:46

01 · What Is Auto Mode

Opens on the Anthropic blog post announcing auto mode. States the problem: permission prompts interrupt long-running tasks, but the only alternative has been dangerously skip permissions.

00:46 – 01:35

02 · Bypass Permissions and Custom Settings

Shows the existing workaround — a settings.local.json with explicit allow and deny bash command patterns. Acknowledges this is still the best option for fine-grained per-project control.

01:35 – 02:55

03 · How Auto Mode Works

Reads the official description from the Claude Code terminal. Explains the classifier, the four risk categories it targets, the slight cost increase per session, and the current Team-only availability.

02:55 – 04:57

04 · Testing Auto Mode

Live demonstration in VS Code. Test 1: asks Claude to delete brand assets — classifier blocks it and escalates to user. Test 2: asks Claude to move a file — runs silently without any prompt, creating a folder and moving the file automatically.

04:57 – 05:26

05 · How to Enable It

Shows the Organization Settings toggle for allowing auto permissions mode. Demonstrates the claude --enable-auto-mode terminal command and Shift+Tab cycling in VS Code.

05:26 – 05:41

06 · Final Thoughts

Subscribe ask. Closing note that Anthropic is shipping features daily.

Atomic Insights

Lines worth screenshotting.

The default Claude Code permission mode pauses execution before every file write and bash command — safe, but incompatible with long-running autonomous tasks.
Dangerously skip permissions is the most-used workaround, but it gives Claude unrestricted access to your file system with no safety net.
A custom settings.local.json with explicit allow and deny lists gives per-project control and is still the best option when you need surgical precision.
Auto mode inserts an AI classifier before every tool call to decide whether the action is safe enough to run without asking.
The classifier targets four risk categories: destructive file operations, sensitive data access, potential prompt injection, and malicious code execution.
Safe actions in auto mode — reads, grep, non-destructive edits, file moves — run silently without any user prompt.
Risky actions in auto mode — deletes, writes to sensitive paths — get blocked and escalated to the user for confirmation.
If Claude keeps getting blocked on a task it considers necessary, it will eventually surface a permission prompt rather than loop indefinitely.
Auto mode sessions cost slightly more per run because the classifier itself is an AI inference call layered on top of every tool use.
Auto mode is currently a research preview exclusive to Claude Team plan users; Enterprise and API rollout is explicitly announced as coming soon.
Enabling auto mode takes one command: claude --enable-auto-mode, or Shift+Tab to cycle through permission modes in the terminal and VS Code.
Project admins can disable auto mode entirely for their organization via the managed settings key disableAutoMode.

Takeaway

The classifier that decides what Claude can do alone.

WHAT TO LEARN

Auto mode does not eliminate permission friction — it relocates the judgment call from you to an AI classifier that runs before every tool call.

The binary choice between ask every time and skip everything was always a false one — auto mode proves you can insert a third layer of programmatic judgment.
A classifier checking for destructive actions before each tool call costs slightly more per session, but that overhead is the price of walking away from a long task without a safety net.
The existing settings.local.json allow/deny pattern remains the right tool when you need surgical per-project control; auto mode is the right tool when you want a portable default across all projects.
Risky action categories worth knowing: destructive file operations, sensitive data access, prompt injection attempts, and malicious code execution — these are the four things the classifier is trained to catch.
Research previews that show up in team plans tend to reach Enterprise and API within weeks; tracking these early gives you a deployment window before competitors have access.
The tell that a session used auto mode is the cost increase — a useful signal when reviewing billing to understand how much autonomous tool-calling is actually happening in a session.

Glossary

Terms worth knowing.

Auto mode: A Claude Code permission setting that runs an AI classifier before each tool call to allow safe actions automatically and block or escalate risky ones, sitting between the two existing extremes of ask-every-time and dangerously skip permissions.
dangerously skip permissions: A Claude Code flag that removes all permission prompts, letting the agent execute any file write, bash command, or network call without pausing for user approval. Useful in isolated sandboxes; risky in any environment with real data.
settings.local.json: A per-project configuration file in the .claude folder where developers define explicit allow and deny lists for Claude Code tool calls, giving fine-grained control over what the agent can and cannot do without prompting.
Prompt injection: An attack where malicious instructions hidden in content Claude reads attempt to override or hijack its behavior mid-session. Auto mode's classifier checks for this before executing each tool call.
Research preview: An early-access release of a feature to a subset of users (here, Claude Team plan subscribers) before it is fully rolled out to all plans, intended to gather real-world feedback before wider availability.

Resources Mentioned

Things they pointed at.

00:00linkAuto mode for Claude Code — Anthropic blog post ↗

04:57toolclaude --enable-auto-mode command

Quotables

Lines you could clip.

01:30

“Dangerously skip permissions for a reason — if you're not watching it, it could go do anything.”

punchy, self-contained warning that resonates with anyone who has left an agent running→ TikTok hook↗ Tweet quote

03:35

“Auto mode is the middle path — fewer interruptions, less risk than skipping all permissions.”

clean one-sentence product description, quotable as a stand-alone insight→ IG reel cold open↗ Tweet quote

The Script

Word for word.

metaphor

00:00Well, I'm back with another Cloud Code update. Today, we have auto mode. Auto mode provides a safer long running alternative to dangerously skip permissions.

00:08So what that means is when you're in Cloud Code and you shoot off a message, you are in some sort of permission mode. In this case, we are in ask before edits. So that means exactly what it sounds like.

00:17Every time before it does an edit, it's going to stop working and it's gonna ask me. Which means if I wanted to step away or, you know, work on something else, it would keep interrupting my workflow. So right here you can see that it's able to read things, but now when it wants to actually make changes, it's gonna pop up this tab.

00:31It's gonna say, hey. Am I allowed to do this? You can either say yes for one time only, or you can say yes every time in this session.

00:38And as you can see, it's popping it up again and stopping my session because it has to make two edits. And it's not just about the writing functions. Sometimes it'll stop your workflow and say, hey.

00:46Can I do this web fetch? Or can I run this bash command? So the other option that a lot of people have been using and what I've shown sometimes in my videos is that you can use bypass permissions mode, which basically means Claude will do anything at whatever it wants, and it won't ask for any permission.

01:00Which sounds great because a lot of times when you're working on stuff, just want it to go through and not interrupt you. But it's called dangerously skip permissions for a reason because at the end of the day, if you're not watching it, it could go do anything. So the fix that I had been using for a long time is within my dot cloud folder, I would have a local settings file, which looks like this.

01:16And this basically says, okay, Cloud Code, you can do anything on your allow list, but you can't do anything on your deny list. And anything here, you have to ask me explicitly before. And so this gave me a lot more control over what Code does and what it can't do.

01:30And in some cases, still think that this is the actual best option to use, because you can change these per project, and you could also set this globally if you'd like. But with Claude code's new release of auto mode, it basically makes those permission decisions on your behalf. So now instead of having to copy and paste this settings file over to all of my new projects, I could basically just come into the permissions mode.

01:48I could change this to auto mode right here, which says Claude will automatically choose the best permission mode for each task. And you can do this in Versus Code like you're seeing me do right here. Or if you open up a terminal and you run Claude like this, which is Claude enable auto mode, it will launch up Claude.

02:03And then when you shift tab through, you can see that we now have the auto mode setting. And right here, you can see that it says auto mode lets Claude handle permissions automatically. Claude checks each tool for risky actions and prompt injection before executing.

02:15Actions Claude identify as safe are executed, while actions Claude identifies as risky are blocked, and Claude may try a different approach. It's ideal for long running tasks. Sessions are slightly more expensive.

02:24Claude can make mistakes that allow harmful commands to run, so it's recommended to only use in isolated environments. So right now, this is only available in the team plans. Right here, you can see I'm on Claude team.

02:35Because it is a research preview, but soon it will be coming to enterprise plan and API users. And so now that I have auto mode on, whether that's in my terminal or whether that is in my Versus Code, I could basically run some skills, run some agents, walk away, and would I have a little bit more confidence that it's going to be managing permissions for me.

02:52And if it's something that's super unsafe, it will probably block it. So just as a test, I'm going to send off a message that says delete my brand assets while I'm in auto mode because this might be something that I wouldn't want it to do. In my settings dot local dot JSON, I basically exclude it from running any commands that would remove or delete things.

03:09So let's see what happens here in auto mode. Okay. This is awesome.

03:12It actually says, okay. This is a risky thing. I'm gonna go ahead and ask the user if I should do this, and I'm able to then say, nope.

03:18I don't want you to delete them. Just keep them, and then it's going to basically stop that operation. But if we try something that's a little bit less risky but still, you know, changes the way that your folder is set up or something like that, in this case, I'm asking it to move my claw dot PNG, which is right here.

03:31Just move it somewhere else in my project, and hopefully, it's able to do this without confirming for me because it's not really a risky action, and it should be able to just keep going and not stop my workflow. So it just did a lot of things, and it didn't ask me for any permission. It created a new folder right here called assets.

03:45That's where it ended up moving it. It also had to do a grep. It had to do an edit.

03:49It had to do a read. It sent me some more information, and it did all of that, like I said, on auto mode without asking me for permission because none of that was risky. So the way that this works is Claude code, by default, the permissions are purposely conservative.

04:01Every file write and bash command asks for approval. It's a safe default, but it means that you can't just kick off a huge task and walk away, which is really annoying. I'm sure all of you guys have experienced that.

04:10While some developers choose to bypass permissions, myself included, with dangerously skipped permissions, this can result in dangerous and destructive outcomes and should not be used outside of isolated environments. So auto mode is the middle path that lets you run longer tasks with fewer interruptions while introducing less risk than skipping all permissions.

04:27That's pretty cool because basically before every single tool call, a classifier reviews it to check for potentially destructive actions like deleting or sensitive data. Things like that. So basically it reduces risk, but it does not eliminate it entirely.

04:41And we also did see in the terminal, if I go back over here and go to the terminal, it basically said here that these sessions are slightly more expensive because I'm assuming before every tool call, it uses AI to say, hey. Is this dangerous? What should I do?

04:54And that would explain why it's more expensive. So like I said, in order to use this, it is right now research preview, and it's only available for clawed team users. But if you are on a team, all you have to do is you come in here and you go to your organization settings, and then you right here are able to enable allowing auto permissions mode.

05:10Same way that you would allow bypass permissions mode. And then you guys saw earlier, all we had to do was we had to run this command right here, claud dash dash enable auto mode. Or if you're in Versus code and you're just using it like this, you should be able to see it right there.

05:23And And then also if you want to be able to disable it, you can do that like that. So anyways, I know that was a super quick one, but I wanna keep you guys up to date because Anthropic is shipping every single day. So if you learned something new or you enjoyed the video, please give it a like.

05:34Definitely helps me out a ton. And as always, I appreciate you guys making it to the end of the video. I'll see you on the next one.

05:39Thanks, everyone.

The Hook

The bait, then the rug-pull.

Claude Code just shipped a permission mode nobody asked for by name but everyone needed: something between the stop-and-ask default and the full-trust chaos of dangerously skip permissions. Auto mode is that third option, and this video is a crisp five-minute proof that it works.

Frameworks