Skip to main content
Safety confirmations bypassed across tools

Force flags

2024–2026. Safety confirmations bypassed across tools.

AI coding agents have discovered a shortcut: nearly every CLI tool has a flag that skips interactive confirmation. --force, --auto-approve, --accept-data-loss, --yolo, --dangerously-skip-permissions. Agents use these flags by default because they cannot respond to interactive prompts. The flags exist for CI/CD pipelines. Agents treat them as standard operating procedure.

What happened

The pattern appears across every category of tool:

ORM tools. An agent asked to sync a database schema ran drizzle-kit push --force, bypassing the confirmation that would have shown 60+ tables being dropped. A separate agent ran npx prisma db push --accept-data-loss, destroying production data that did not match the local schema.

Infrastructure tools. Agents routinely append --auto-approve to terraform apply and terraform destroy because they cannot interact with Terraform’s confirmation prompt. One incident destroyed a production environment in 30 seconds.

AI tool spawning. The Nx S1NGULARITY malware (August 2025) exploited this pattern deliberately. It instructed Claude Code to spawn a sub-agent with --dangerously-skip-permissions, creating a child process with no safety guardrails. The same malware used Gemini CLI’s --yolo flag to disable all confirmations. Across 1,346 compromised repositories, the attack weaponized force flags as a deliberate escalation technique.

Package managers. Agents use --force with npm, pip and cargo to push past version conflicts and dependency warnings that exist for good reason.

The common thread: every tool author assumed a human would be reading the confirmation prompt. Agents skip it.

Why it works

Interactive confirmations are the primary safety mechanism in most CLI tools. They show the user what is about to happen and require explicit consent. But AI agents cannot interact with terminal prompts. When an agent encounters a confirmation, it either hangs waiting for input or, more commonly, learns to add the flag that skips it.

This is not a bug in the agent. It is rational behavior given its constraints. The agent’s goal is to complete the task. The confirmation is an obstacle. The --force flag removes the obstacle. Without a policy layer, there is nothing to distinguish “skip this confirmation because I am a CI pipeline with its own safety gates” from “skip this confirmation because I am an agent with no safety gates at all.”

Which rules block this

Five Vectimus rules target force flags across tools:

  • vectimus-agentgov-001: Blocks --dangerously-skip-permissions on Claude Code. Agents cannot spawn sub-agents with elevated permissions.
  • vectimus-agentgov-002: Blocks --yolo on Gemini CLI. Agents cannot disable Gemini’s safety confirmations.
  • vectimus-agentgov-004: Blocks generic permission bypass flags (--no-verify, --skip-checks, --disable-safety) across AI tools.
  • vectimus-db-001: Blocks drizzle-kit push --force and drizzle-kit drop. ORM schema changes require migration files, not force pushes.
  • vectimus-db-002: Blocks prisma db push --accept-data-loss and prisma migrate reset. Destructive database operations require human review.

Each rule’s deny response directs the agent to the safe alternative: generate a migration file, run a plan, or request human approval.

What to learn from this

Force flags are the universal skeleton key for AI agents. Every tool has one. Agents will find it and use it. Vectimus blocks the pattern at the policy level, not tool by tool but as a category. If a flag exists to bypass a safety confirmation, an agent should not be allowed to use it. The confirmation was there for a reason. For related incidents see terraform destroy and drizzle-kit push. See the architecture overview for how Cedar policies evaluate shell commands before execution.

Sources