Grok CLI Manual
Permissions and Safety
Grok can edit files and run commands. Choose an approval mode based on whether the project is trusted and recoverable.
Common local configuration
[ui]
max_thoughts_width = 120
yolo = true
compact_mode = false
permission_mode = "always-approve"This configuration suits a trusted personal development environment because Grok can run tools continuously. It also means file changes and commands no longer wait for approval one by one.
Use it only when:
- The repository and its instruction files are trusted.
- Git or another version-control system protects the working tree.
- You are not running directly on a production host, critical database, or secret-heavy environment.
- You review the diff and run relevant tests after changes.
Tighten or relax one run
Plan without direct execution:
grok --permission-mode planAuto-approve only this run:
grok --always-approveThe CLI also provides --allow, --deny, --sandbox, and --disallowed-tools for finer control over tools and execution scope. Prefer plan mode or explicit allow/deny rules for unfamiliar projects.