tanav.aiScanResearchARDGet Started
Open appTry free scan →
Checkers / CHK-089
CHK-089
CRITICAL

--dangerously-skip-permissions in MCP server config

category: mcp_risk · source: services/scanner/mcp_config_scanner.py
OWASP MCP Top 10MCP-T07Privilege Escalation

What it detects

The --dangerously-skip-permissions flag present in an MCP server's command or args inside .mcp.json. This flag disables every Claude Code permission prompt — every tool call (file write, shell command, network request) executes with no user confirmation, for every session that loads this config.

This is distinct from a single risky tool call: it's a blanket removal of the confirmation gate itself, so any other vulnerability in the same session (a prompt injection payload, a compromised dependency) has nothing standing between it and execution.

Real example

garrytan/gstack71k★CONFIRMED

Confirmed. The same flag was independently found in source across five other major agent frameworks during corpus scanning (AutoGPT, get-shit-done, career-ops, oh-my-claudecode, opcode) — a systemic pattern, not an isolated bug.

How to fix it

Remove the flag. Implement explicit per-operation permission grants instead.

Removing --dangerously-skip-permissions restores Claude Code's native permission prompts for every sensitive operation. If the goal was automation (CI, batch jobs), scope the bypass to that specific job context rather than making it the default for interactive sessions — and document it prominently in the README so users installing the framework know their sessions run unconfirmed.

Reference →