[DOCS] Contradictory security advice regarding `--dangerously-skip-permissions` usage in Best Practices vs Devcontainer docs

Resolved 💬 4 comments Opened Jan 22, 2026 by coygeek Closed Mar 7, 2026

Documentation Type

Unclear/confusing documentation

Documentation Location

Section/Topic

  • Best Practices: "Safe Autonomous Mode" section - Devcontainer: Introduction / "Key features" / "Security features"

Current Documentation

From Best Practices (Safe Autonomous Mode):

"Letting Claude run arbitrary commands can result in data loss, system corruption, or data exfiltration via prompt injection. Only use --dangerously-skip-permissions in a sandbox without internet access." "To minimize these risks, use --dangerously-skip-permissions in a container without internet access."

From Devcontainer:

"The container's enhanced security measures (isolation and firewall rules) allow you to run claude --dangerously-skip-permissions to bypass permission prompts for unattended operation." "Precise access control: Restricts outbound connections to whitelisted domains only (npm registry, GitHub, Claude API, etc.)" "The firewall permits outbound DNS and SSH connections"

What's Wrong or Missing?

There is a direct contradiction regarding the safety requirements for the --dangerously-skip-permissions flag.

  1. The Best Practices guide explicitly states the flag should "Only" be used in a sandbox "without internet access" to prevent data exfiltration.
  2. The Devcontainer guide encourages using this flag but explicitly notes that the container does have internet access (whitelisted domains like GitHub/npm, plus outbound DNS and SSH).

A user following the "Best Practices" strictly would consider the Devcontainer unsafe for this flag because it allows outbound connections (potentially allowing exfiltration to a malicious GitHub repo or via DNS tunneling). Conversely, the Devcontainer documentation implies the firewall is sufficient mitigation, contradicting the "no internet access" rule.

Suggested Improvement

The documentation should align the definition of a "safe environment" for this flag.

Option A (Update Best Practices):
Nuance the warning in Best Practices to acknowledge that strict egress filtering is an acceptable alternative to a fully offline environment.

Suggested text:

"To minimize these risks, use --dangerously-skip-permissions in a container without internet access, or one with strict network firewall rules (allowlisting only essential domains) such as the reference devcontainer."

Option B (Clarify Devcontainer):
Add a note in the Devcontainer docs that while the firewall reduces risk, it does not provide the absolute isolation recommended in the Best Practices.

Impact

High - Prevents users from using a feature

Additional Context

  • If the Devcontainer allows writing to GitHub (which it must to push code), a prompt injection attack could theoretically exfiltrate local secrets by pushing them to a public repository. This violates the intent of the "no internet access" warning in the Best Practices guide.
  • Clarifying this distinction is crucial for enterprise users auditing security risks.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗