Default Behaviour
PraisonAI is safe by default: a fresh install on an interactive terminal asks before running dangerous tools (shell exec, file writes, code execution). Pipes, CI runners, and redirected I/O fall back to deny by default — dangerous tools never run unattended without an explicit policy.| Context | Default | What you see |
|---|---|---|
| Interactive terminal (TTY) | Ask | An approval prompt appears the first time a dangerous tool is called |
| Pipe / CI / non-TTY | Deny | The dangerous tool is hard-denied before it runs |
PRAISONAI_TOOL_SAFETY=off set | Bypass | Legacy ungated behaviour; nothing is gated |
approval=False (Python) | Deny | Same as non-TTY: deny-by-default, no prompt |
approval="bypass" (Python) | Bypass | Same as PRAISONAI_TOOL_SAFETY=off |
sys.stdin and sys.stdout are TTYs. This avoids surprises in CI / Docker / scheduled-task contexts.
Bypassing the Prompt
Per-run bypass — --dangerously-skip-approval
For one-off runs you trust completely:
--no-safe. Both set PRAISONAI_TOOL_SAFETY=off for the subprocess and run dangerous tools without prompting.
Session-wide bypass — PRAISONAI_TOOL_SAFETY=off
For a whole shell session:
off, full, none, 0, false (case-insensitive). Any other value falls back to the default preset.
Python-level bypass — approval="bypass"
approval=False instead if you want deny-by-default without the prompt (CI-style behaviour from inside a TTY-attached process).
Declarative Permissions
Pre-declare allow/deny rules for CI-safe runs. See Declarative Permissions.| Flag | Description |
|---|---|
--allow <pattern> | Allow matching tool calls (repeatable) |
--deny <pattern> | Deny matching tool calls (repeatable) |
--permissions <file> | Load rules from YAML or JSON |
--permission-default <action> | Default for unmatched patterns (allow, deny, ask) |
Overview
Certain tools are marked with risk levels and require approval before execution:| Risk Level | Tools | Default Behavior |
|---|---|---|
| CRITICAL | execute_command, kill_process, execute_code | Always prompts |
| HIGH | write_file, delete_file, move_file, copy_file, edit_file, apply_patch | Always prompts |
| MEDIUM | evaluate, crawl, scrape_page | Always prompts |
| LOW | (none by default) | Always prompts |
YAML Configuration
Configure approval settings in your YAML configuration file using theapproval: block:
Shorthand Forms
Legacy YAML Aliases (Backward Compatible)
| Legacy key | New key |
|---|---|
backend_name | backend |
all_tools | approve_all_tools |
approval_timeout | timeout |
Validation
Unknown keys now raiseValueError with the list of allowed keys — silent typos no longer pass through undetected.
CLI ⇄ YAML ⇄ Python Mapping
All three surfaces use the same unified configuration:| CLI flag | YAML key | Python field |
|---|---|---|
--trust | N/A (use backend: auto) | backend="auto", enabled=True |
--approval <backend> | backend: <backend> | backend="<backend>", enabled=True |
--approve-all-tools | approve_all_tools: true | approve_all_tools=True |
--approval-timeout <sec> | timeout: <sec> | timeout=<sec> |
--approve-level <level> | approve_level: <level> | approve_level="<level>" |
--guardrail "<text>" | guardrails: "<text>" | guardrails="<text>" |
praisonai code Safety Flags
| Flag | Default | Effect |
|---|---|---|
--safe / --no-safe | --safe (ON) | Safe mode ON by default. --no-safe sets PRAISONAI_TOOL_SAFETY=off and restores legacy ungated behaviour. |
--dangerously-skip-approval | OFF | Skip all approval prompts and run dangerous tools unguarded. Equivalent to --no-safe. |
--trust | OFF | Auto-approve all tool executions. |
--approval <backend> | — | Route approvals to a backend (console, slack, …). |
Auto-Approve All Tools (--trust)
Use the --trust flag to auto-approve all tool executions without prompting:

Usage
Level-Based Approval (--approve-level)
Use --approve-level to auto-approve tools up to a specific risk level:
low- Only auto-approve low risk toolsmedium- Auto-approve low and medium risk toolshigh- Auto-approve low, medium, and high risk toolscritical- Auto-approve all tools (same as--trust)
Examples
Approval Backend (--approval)
Use --approval to route tool approvals to a specific backend — Slack, Telegram, Discord, a webhook, or more:
Available Backends
| Value | Backend | Required Env Vars |
|---|---|---|
console | Interactive terminal prompt (default) | — |
slack | Slack Block Kit message + reply polling | SLACK_BOT_TOKEN, SLACK_CHANNEL |
telegram | Telegram inline keyboard + polling | TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID |
discord | Discord embed + text reply polling | DISCORD_BOT_TOKEN, DISCORD_CHANNEL_ID |
webhook | POST to HTTP endpoint + poll for decision | APPROVAL_WEBHOOK_URL |
http | Local web dashboard (browser-based) | — |
agent | Delegate to an AI reviewer agent | — |
auto | Auto-approve all (same as --trust) | — |
none | Disable approval entirely | — |
Works With All CLI Commands
Programmatic Control
Custom tools registered via
add_approval_requirement(...) are now gated on the interactive ConsoleBackend ask path, not just the deny path. Previously, registry-required custom tools were only blocked in non-interactive mode — that gap is now closed.Risk Level Reference
Critical Risk Tools
execute_command- Run shell commandskill_process- Terminate processesexecute_code- Execute arbitrary code
High Risk Tools
write_file- Write to filesdelete_file- Delete filesmove_file- Move/rename filescopy_file- Copy filesedit_file- Edit existing file contentapply_patch- Apply a patch/diff to filesexecute_query- Database queries
Medium Risk Tools
evaluate- Evaluate expressionscrawl- Web crawlingscrape_page- Web scraping
Best Practices
Use deny-by-default in CI
Use deny-by-default in CI
Set
approval=False (or let the non-TTY default kick in automatically) so an agent run in CI never silently executes a destructive tool, even on a misconfigured runner that mistakenly attaches a TTY.For development/testing: use --trust for faster iteration
For development/testing: use --trust for faster iteration
When you’re actively monitoring the AI’s actions,
--trust speeds up iteration by skipping prompts entirely.For production scripts: use --approve-level high
For production scripts: use --approve-level high
Allow file operations but still require approval for shell commands:
Related Features
Approval Protocol
All approval backends (Slack, Telegram, Discord, Webhook, HTTP, Agent)
Sandbox Execution
Secure isolated command execution
Autonomy Modes
Control AI autonomy levels
Tool Tracking
Monitor tool usage

