packages/kilo-docs/pages/getting-started/settings/auto-approving-actions.md
{% callout type="danger" %} Security Warning: Auto-approve settings bypass confirmation prompts, giving Kilo Code direct access to your system. This can result in data loss, file corruption, or worse. Command line access is particularly dangerous, as it can potentially execute harmful operations that could damage your system or compromise security. Only enable auto-approval for actions you fully trust. {% /callout %}
Auto-approve settings speed up your workflow by eliminating repetitive confirmation prompts, but they significantly increase security risks. The VSCode (Legacy), VSCode, and CLI versions each handle permissions differently — choose the tab that matches your setup.
{% tabs %} {% tab label="VSCode" %}
The extension uses a granular, per-tool permission system. You can configure permissions through the Settings → Auto Approve tab, which provides a UI with per-tool Allow / Ask / Deny dropdowns.
The UI reads and writes to the same kilo.jsonc config files used by the CLI, so changes made in either place are reflected in both.
Each tool permission can be set to one of three values:
| Value | Behavior |
|---|---|
"allow" | The tool runs automatically without prompting |
"ask" | Kilo pauses and asks for approval before running the tool |
"deny" | The tool is blocked entirely |
When no rule matches a permission check, the default action is ask.
The Auto Approve tab lists the following tool-specific permissions. Some tools are grouped together in the UI and share a single permission level:
| Permission | Controls |
|---|---|
external_directory | Accessing files outside the project directory |
bash | Executing shell commands |
read | Reading file contents |
edit | Editing existing files |
glob | File pattern matching / searching by name |
grep | Searching file contents by regex |
task | Launching sub-agents |
agent_manager | Starting Agent Manager local or worktree sessions |
skill | Loading specialized skills |
lsp | Language server protocol operations |
todoread / todowrite | Reading and updating the todo list |
websearch / codesearch | Performing web or code searches |
webfetch | Fetching content from URLs |
doom_loop | Allowing the agent to continue after repeated failures |
When a tool is set to "ask", Kilo pauses and displays a permission prompt with two options:
| Option | Behavior |
|---|---|
| Run | Allow this specific invocation |
| Deny | Block this specific invocation |
Use the shield button in the prompt controls to toggle runtime auto-approve for permission prompts without opening Settings. When enabled, the shield is highlighted and pending permission prompts are approved automatically. The runtime state stays synced across the sidebar, open Kilo tabs, and Agent Manager session views.
Expand Manage Auto-Approve Rules to add commands or patterns to your allowed or denied lists. These rules are then appended to the bottom of the approval rules in settings and the config file.
For the agent_manager tool, runtime approvals use the requested mode as the pattern: worktree or local.
MCP tools use the same allow / ask / deny permission system as built-in tools. Each MCP tool's permission key is its namespaced name: {server}_{tool} (e.g. github_create_pull_request). You can use glob patterns like github_* for broad rules.
For full details and examples, see MCP Tool Permissions.
Most tools default to "*": "allow" for a smooth out-of-the-box experience. Notable exceptions that prompt by default:
.env files — reading .env files prompts for approval. Files matching *.env.* (e.g., .env.local, .env.production) also trigger an ask, while *.env.example is explicitly allowed.external_directory — accessing files outside the project prompts for approvaldoom_loop — prompts when the agent enters a repeated failure cycle{% /tab %} {% tab label="CLI" %}
The CLI uses a granular, per-tool permission system configured in kilo.jsonc. Instead of broad categories like "read" or "write," each tool has its own permission level with glob-pattern rules for fine-grained control.
Each tool permission can be set to one of three values:
| Value | Behavior |
|---|---|
"allow" | The tool runs automatically without prompting |
"ask" | Kilo pauses and asks for approval before running the tool |
"deny" | The tool is blocked entirely |
When no rule matches a permission check, the default action is ask.
Permissions are configured under the permission key in kilo.jsonc. The following tool-specific permission levels are available:
| Permission | Controls |
|---|---|
external_directory | Accessing files outside the project directory |
bash | Executing shell commands |
read | Reading file contents |
edit | Editing existing files |
glob | File pattern matching / searching by name |
grep | Searching file contents by regex |
task | Launching sub-agents |
skill | Loading specialized skills |
lsp | Language server protocol operations |
todoread / todowrite | Reading and updating the todo list |
websearch / codesearch | Performing web or code searches |
webfetch | Fetching content from URLs |
doom_loop | Allowing the agent to continue after repeated failures |
Instead of a simple "allow" or "deny", each tool can use glob-pattern rules for granular control. Patterns are matched against the tool's arguments (command strings, file paths, etc.), and the last matching rule wins.
Allow git commands automatically, but prompt for everything else:
{
"permission": {
"bash": {
"git *": "allow",
"*": "ask"
}
}
}
Prompt before reading .env files, but allow all other reads:
{
"permission": {
"read": {
"*.env": "ask",
"*": "allow"
}
}
}
Deny rm -rf commands, allow common dev commands, and ask for anything else:
{
"permission": {
"bash": {
"rm -rf *": "deny",
"npm *": "allow",
"bun *": "allow",
"git *": "allow",
"*": "ask"
}
}
}
Different agents can have different permission levels. Override the default permissions for a specific agent under the agent.<name>.permission key:
{
"permission": {
"bash": { "*": "ask" }
},
"agent": {
"code": {
"permission": {
"bash": { "git *": "allow", "*": "ask" }
}
},
"plan": {
"permission": {
"bash": { "*": "deny" }
}
}
}
}
In this example, the code agent can run git commands automatically and asks for other shell commands, while the plan agent cannot run shell commands at all.
When a tool is set to "ask", Kilo pauses and displays a permission prompt. You have three options:
| Option | Behavior |
|---|---|
| Allow once | Allow this specific invocation only |
| Allow always | Save an allow rule for the matching tool or pattern in your global config |
| Reject | Block this specific invocation |
For shell commands, saved approvals are written under permission.bash and apply across CLI sessions.
Most tools default to "*": "allow" for a smooth out-of-the-box experience. Notable exceptions that prompt by default:
.env files — reading .env files prompts for approval. Files matching *.env.* (e.g., .env.local, .env.production) also trigger an ask, while *.env.example is explicitly allowed.external_directory — accessing files outside the project prompts for approvaldoom_loop — prompts when the agent enters a repeated failure cycleMCP tools use the same allow / ask / deny permission system as built-in tools. Each MCP tool's permission key is its namespaced name: {server}_{tool} (e.g. github_create_pull_request). You can use glob patterns like github_* for broad rules.
For full details and examples, see MCP Tool Permissions.
{% callout type="info" %} This is a custom example showing the available configuration options — it does not represent the shipped defaults. {% /callout %}
{
"permission": {
"read": { "*.env": "ask", "*": "allow" },
"edit": { "*.env": "ask", "*": "allow" },
"glob": { "*": "allow" },
"grep": { "*": "allow" },
"list": { "*": "allow" },
"bash": { "git *": "allow", "npm *": "allow", "*": "ask" },
"task": { "*": "allow" },
"skill": { "*": "allow" },
"lsp": { "*": "allow" },
"todoread": { "*": "allow" },
"todowrite": { "*": "allow" },
"webfetch": { "*": "allow" },
"websearch": { "*": "allow" },
"codesearch": { "*": "allow" },
"external_directory": { "*": "ask" },
"doom_loop": { "*": "ask" }
},
"agent": {
"code": {
"permission": {
"bash": { "git *": "allow", "npm *": "allow", "*": "ask" }
}
}
}
}
{% /tab %} {% tab label="VSCode (Legacy)" %}
{% image src="/docs/img/auto-approving-actions/auto-approving-actions.png" alt="Auto-approve toolbar collapsed state" width="800" caption="Prompt box and Auto-Approve Toolbar showing enabled permissions" /%}
Click the toolbar to expand it and configure individual permissions:
{% image src="/docs/img/auto-approving-actions/auto-approving-actions-1.png" alt="Auto-approve toolbar expanded state" width="800" caption="Expanded toolbar with all options" /%}
| Permission | What it does | Risk level |
|---|---|---|
| Read files and directories | Lets Kilo Code access files without asking | Medium |
| Edit files | Lets Kilo Code modify files without asking | High |
| Execute approved commands | Runs whitelisted terminal commands automatically | High |
| Use the browser | Allows headless browser interaction | Medium |
| Use MCP servers | Lets Kilo Code use configured MCP services | Medium-High |
| Switch modes | Changes between Kilo Code modes automatically | Low |
| Create & complete subtasks | Manages subtasks without confirmation | Low |
| Retry failed requests | Automatically retries failed API requests | Low |
| Answer follow-up questions | Selects default answer for follow-up questions | Low |
| Update todo list | Automatically updates task progress | Low |
The leftmost checkbox works as a master toggle:
{% image src="/docs/img/auto-approving-actions/auto-approving-actions-14.png" alt="Master toggle in Auto-approve toolbar" width="800" caption="Master toggle controls all auto-approve permissions at once" /%}
Use the master toggle when:
The settings panel provides detailed control with important security context. To access these settings:
{% image src="/docs/img/auto-approving-actions/auto-approving-actions-4.png" alt="Settings panel auto-approve options" width="800" caption="Complete settings panel view" /%}
{% callout type="info" %} Allow Kilo Code to automatically perform operations without requiring approval. Enable these settings only if you fully trust the AI and understand the associated security risks. {% /callout %}
{% image src="/docs/img/auto-approving-actions/auto-approving-actions-6.png" alt="Read-only operations setting" width="800" caption="Read operations settings" /%}
Setting: "Always approve read-only operations"
Description: When enabled, Kilo Code will automatically view directory contents and read files without requiring you to click the Approve button.
Risk level: Medium
While this setting only allows reading files (not modifying them), it could potentially expose sensitive data. Still recommended as a starting point for most users, but be mindful of what files Kilo Code can access.
Setting: "Allow reading files outside the workspace"
Description: When enabled, Kilo Code can read files outside the current workspace directory without asking for approval.
Risk level: Medium-High
This setting extends read permissions beyond your project folder. Consider the security implications:
Recommendation: Keep disabled unless you specifically need Kilo Code to read files outside your project.
{% image src="/docs/img/auto-approving-actions/auto-approving-actions-7.png" alt="Write operations setting with delay slider" width="800" caption="Write operations settings with diagnostic delay slider" /%}
Setting: "Always approve write operations"
Description: Automatically create and edit files without requiring approval
Delay slider: "Delay after writes to allow diagnostics to detect potential problems" (Default: 1000ms)
Risk level: High
This setting allows Kilo Code to modify your files without confirmation. The delay timer is crucial:
Setting: "Allow writing files outside the workspace"
Description: When enabled, Kilo Code can create or modify files outside the current workspace directory without asking for approval.
Risk level: Very High
Use with caution and in controlled environments. It allows Kilo Code to:
Recommendation: Keep disabled unless absolutely necessary. Even experienced users should avoid this setting.
Setting: "Allow writing to protected files"
Description: When enabled, Kilo Code can overwrite or modify files that are normally protected by the .kilocodeignore file.
Risk level: Very High
Protected files are intentionally shielded from modification. Enable only if you understand the consequences.
{% callout type="danger" %} Delete Operations
Setting: "Always approve delete operations"
Description: Automatically delete files and directories without requiring approval
Risk level: Very High
This setting allows Kilo Code to permanently remove files without confirmation.
Safeguards:
.kilocodeignore rulesRecommendation: Enable only in isolated environments or when working with temporary/generated files. Always ensure you have backups, checkpoints, or version control. {% /callout %}
{% image src="/docs/img/auto-approving-actions/auto-approving-actions-8.png" alt="Browser actions setting" width="800" caption="Browser actions settings" /%}
Setting: "Always approve browser actions"
Description: Automatically perform browser actions without requiring approval
Note: Only applies when the model supports computer use
Risk level: Medium
Allows Kilo Code to control a headless browser without confirmation. This can include:
Consider the security implications of allowing automated browser access.
{% image src="/docs/img/auto-approving-actions/auto-approving-actions-9.png" alt="API requests retry setting with delay slider" width="800" caption="API request retry settings" /%}
Setting: "Always retry failed API requests"
Description: Automatically retry failed API requests when server returns an error response
Risk level: Low
This setting automatically retries API calls when they fail.
The delay controls how long Kilo Code waits before trying again:
{% image src="/docs/img/auto-approving-actions/auto-approving-actions-10.png" alt="MCP tools setting" width="800" caption="MCP tools auto-approval settings" /%}
Setting: "Always approve MCP tools"
Description: Enable auto-approval of individual MCP tools in the Agent Behaviour > MCP Servers view (requires both this setting and the tool's individual 'Always allow' checkbox)
Risk level: Medium-High (depends on configured MCP tools)
This setting works in conjunction with individual tool permissions in the Agent Behaviour > MCP Servers view. Both this global setting and the tool-specific permission must be enabled for auto-approval.
{% image src="/docs/img/auto-approving-actions/auto-approving-actions-11.png" alt="Mode switching setting" width="800" caption="Mode switching settings" /%}
Setting: "Always approve mode switching"
Description: Automatically switch between different modes without requiring approval
Risk level: Low
Allows Kilo Code to change between different modes (Code, Architect, etc.) without asking for permission. This primarily affects the AI's behavior rather than system access.
{% image src="/docs/img/auto-approving-actions/auto-approving-actions-12.png" alt="Subtasks setting" width="800" caption="Subtasks auto-approval settings" /%}
Setting: "Always approve creation & completion of subtasks"
Description: Allow creation and completion of subtasks without requiring approval
Risk level: Low
Enables Kilo Code to create and complete subtasks automatically. This relates to workflow organization rather than system access.
{% image src="/docs/img/auto-approving-actions/auto-approving-actions-13.png" alt="Command execution setting with whitelist interface" width="800" caption="Command execution settings with allowlist and denylist" /%}
Setting: "Always approve allowed execute operations"
Description: Automatically execute allowed terminal commands without requiring approval
Risk level: High
This setting allows terminal command execution with controls. While risky, the allowlist and denylist features limit what commands can run.
* wildcard in production or with sensitive dataSetting: "Command prefixes that can be auto-executed"
Add command prefixes (e.g., git, npm, ls) that Kilo Code can run without asking. Use * to allow all commands (use with caution).
Interface elements:
Setting: "Command prefixes that are always blocked"
Commands in this list will never run, even if * is in the allowed list. Use this to create exceptions for potentially dangerous commands.
Setting: "Always default answer for follow-up questions"
Description: Automatically selects the first AI-suggested answer for a follow-up question after a configurable timeout. This speeds up your workflow by letting Kilo Code proceed without manual intervention.
Visual countdown: When enabled, a countdown timer appears on the first suggestion button in the chat interface, showing the remaining time before auto-selection. The timer displays seconds remaining (e.g., "3s") and counts down in real-time.
Timeout slider: Use the slider to set the wait time (Range: 1-300 seconds, Default: 60s).
Override options: You can cancel the auto-selection at any time by:
Risk level: Low
Use cases:
Setting: "Always approve todo list updates"
Description: Automatically update the to-do list without requiring approval
Risk level: Low
This setting allows Kilo Code to automatically update task progress and todo lists during work sessions. This includes:
Use cases:
This is particularly useful when combined with the Subtasks permission, as it allows Kilo Code to maintain a complete picture of project progress without constant approval requests.
{% callout type="danger" %} YOLO Mode (Risk: Maximum)
"You Only Live Once" mode enables all auto-approve permissions at once using the master toggle. This gives Kilo Code complete autonomy to read files, write code, execute commands, and perform any operation without asking for permission.
You can optionally enable an AI Safety Gatekeeper, which reviews every intended change in YOLO mode and intelligently approves or blocks actions before they execute. We suggest using a small, fast model such as OpenAI gpt-oss-safeguard-20b. When enabled, AI Safety Gatekeeper will incur additional costs, as well as additional latency.
When to use:
When NOT to use:
This is the fastest way to work with Kilo Code, but also the riskiest. Use it only when you fully trust the AI and are prepared for the consequences. {% /callout %}
{% /tab %} {% /tabs %}