--dangerously-skip-permissions in MCP server config
What it detects
The --dangerously-skip-permissions flag present in an MCP server's command or args inside .mcp.json. This flag disables every Claude Code permission prompt — every tool call (file write, shell command, network request) executes with no user confirmation, for every session that loads this config.
This is distinct from a single risky tool call: it's a blanket removal of the confirmation gate itself, so any other vulnerability in the same session (a prompt injection payload, a compromised dependency) has nothing standing between it and execution.
Real example
Confirmed. The same flag was independently found in source across five other major agent frameworks during corpus scanning (AutoGPT, get-shit-done, career-ops, oh-my-claudecode, opcode) — a systemic pattern, not an isolated bug.
How to fix it
Removing --dangerously-skip-permissions restores Claude Code's native permission prompts for every sensitive operation. If the goal was automation (CI, batch jobs), scope the bypass to that specific job context rather than making it the default for interactive sessions — and document it prominently in the README so users installing the framework know their sessions run unconfirmed.
Reference →