A guide to safely running coding agents in YOLO mode locally A developer published a guide for running coding agents like Claude Code in YOLO mode inside Docker containers to protect the host machine from dangerous actions. The setup mounts the working directory as a volume and uses a Dockerfile to install the agent with permission skipping, though authentication and plugin persistence require additional steps. The approach aims to balance efficiency and safety but does not prevent data exfiltration via prompt injection. TL;DR This is a guide on how to set things up so that you can run cc in any directory and get a Docker container with a coding agent running in YOLO mode with all your plugins, skills, and configs, so you don't need to approve what it does but you still keep your machine safe. If you don't want to read you can just use my yolo-agents repo https://github.com/yakkomajuri/yolo-agents , but it's specific to Claude Code and you may need to tweak it to your system/needs, which is why I wrote a whole guide explaining the concepts you need to know. Intro I've been surprised to hear that a lot of my friends are either still approving every other thing Claude Code or Codex does, or that they run these coding agents in YOLO mode freely without any guardrails. I think the former is much better than the latter, since you're not being a turkey /blog/the-openclaw-turkey-problem , but it is inefficient. And those just running on YOLO straight up are running more risk than they think in my opinion. Claude Code has launched "Auto mode" now, which appears helpful, but I'd be scared to completely trust it. So I thought it was a good time to write about how to have a seamless setup for running these agents in YOLO mode in a Docker container. I never wrote about this before because I thought it would be commonplace, but I realized it doesn't seem to be. Hence, here it is, a tutorial on how to set things up so that you run one command in my case cc and get a running Claude Code or whatever coding agent you use in YOLO mode with access to your config, skills, plugins, relevant packages, and the current directory. Running it this way means that anything dangerous or malicious is going to happen inside that Docker container, so the agent can't delete your home directory for instance. As a result, you can let it run more freely without approving the stuff it does. You're still subject to other vulnerabilities though, such as the agent exfiltrating sensitive stuff like your code or any keys it might have access to if it gets prompt injected. Just making it clear that this setup doesn't protect you from everything, but it does protect your machine. Guide Prerequisites - Docker installed - A coding agent of your choice I'll use Claude Code for the example My setup is for MacOS, but it should also work on Linux. It won't work on Windows but the concepts will generally be the same. What we're doing Basically the things we want to accomplish are: - Running the coding agent in a Docker container for safety - Ensuring that the agent has access to do anything in the directory you want it to work in - Making this as easy to run as running the agent outside a container - Ensuring all of our skills, plugins, etc. are available in the container - Ensuring the agent has all the tools it needs to work Step 1: Put the agent in the container The simplest working thing we can do is just a Dockerfile that installs e.g. Claude Code. That would look like this: FROM node:20-bookworm-slim RUN apt-get update && apt-get install -y --no-install-recommends \ git \ curl \ ca-certificates \ && rm -rf /var/lib/apt/lists/ RUN curl -fsSL https://claude.ai/install.sh | bash ENV PATH="/root/.local/bin:${PATH}" WORKDIR /workspace ENTRYPOINT "claude", "--dangerously-skip-permissions" Now you just need to run docker build -t claude-code . once and then you can run docker run -it -v "$PWD:/workspace" claude-code and boom, you've got Claude Code running with access to everything in the current directory because we're mounting it as a volume . The problem is that you need to authenticate every time, your skills and plugins are not going to come through, and this is a bit annoying to type out. So let's keep going. Step 2: Auth This is the first gotcha, at least on MacOS. Claude Code on Mac stores credentials in Keychain, meaning we can't just mount ~/.claude/.credentials.json and be done with it. Now this is one of the parts where the approach will vary from coding agent to coding agent, which is the partly why I'm building this guide: by being aware of the gotchas and moving parts, you can build/prompt this yourself for your setup more easily, otherwise you might get stuck debugging. I wonder if you could just point your agent to this post and have it serve as a spec. Anyway, so for Claude Code what we want now is to make a little entrypoint.sh script: bash /bin/bash set -e take a token from the env and add it to credentials.json if -n "${CLAUDE CODE OAUTH TOKEN:-}" ; then mkdir -p "$HOME/.claude" cat "$HOME/.claude/.credentials.json" <