Claude Code 'Auto' mode flagged as unsafe AI configuration
XFA's unsafe AI mode check now recognises Claude Code's newer persisted permission modes alongside the legacy dangerouslySkipPermissions flag, so administrators get accurate reporting whenever an agent is configured to auto-approve every tool call.
The following values of permissions.defaultMode in ~/.claude/settings.json (or ~/.claude/settings.local.json) are now flagged as unsafe because they auto-approve every tool call, including shell commands and network requests:
bypassPermissions— persisted equivalent of running with--dangerously-skip-permissions. Treat this as 'agent has full local user privileges'.auto— the new Claude Code 'Auto' mode. Same risk class: skips permission prompts via a classifier and is intended for sandboxed CI, not for personal devices.
Both modes are unsafe to run on machines with credentials or production access. Safe values (default, plan, acceptEdits) remain unflagged. Devices configured with either flagged mode are now reported in the Unsafe AI Mode check, and end users see remediation steps in the in-app guide.