Auto-Approving Actions
Security Warning: Auto-approve settings bypass confirmation prompts, giving Kilo Code direct access to your system. This can result in data loss, file corruption, or worse. Command line access is particularly dangerous, as it can potentially execute harmful operations that could damage your system or compromise security. Only enable auto-approval for actions you fully trust.
Auto-approve settings speed up your workflow by eliminating repetitive confirmation prompts, but they significantly increase security risks. The VSCode (Legacy), VSCode, and CLI versions each handle permissions differently — choose the tab that matches your setup.
Overview
The extension uses a granular, per-tool permission system. You can configure permissions through the Settings → Auto Approve tab, which provides a UI with per-tool Allow / Ask / Deny dropdowns.
The UI reads and writes to the same kilo.jsonc config files used by the CLI, so changes made in either place are reflected in both.
Permission Levels
Each tool permission can be set to one of three values:
| Value | Behavior |
|---|---|
"allow" | The tool runs automatically without prompting |
"ask" | Kilo pauses and asks for approval before running the tool |
"deny" | The tool is blocked entirely |
When no rule matches a permission check, the default action is ask.
Available Tool Permissions
The Auto Approve tab lists the following tool-specific permissions. Some tools are grouped together in the UI and share a single permission level:
| Permission | Controls |
|---|---|
external_directory | Accessing files outside the project directory |
bash | Executing shell commands |
read | Reading file contents |
edit | Editing existing files |
glob | File pattern matching / searching by name |
grep | Searching file contents by regex |
list | Listing directory contents |
task | Launching sub-agents |
skill | Loading specialized skills |
lsp | Language server protocol operations |
todoread / todowrite | Reading and updating the todo list |
websearch / codesearch | Performing web or code searches |
webfetch | Fetching content from URLs |
doom_loop | Allowing the agent to continue after repeated failures |
Runtime Permission Requests
When a tool is set to "ask", Kilo pauses and displays a permission prompt with two options:
| Option | Behavior |
|---|---|
| Run | Allow this specific invocation |
| Deny | Block this specific invocation |
Expand Manage Auto-Approve Rules to add commands or patterns to your allowed or denied lists. These rules are then appended to the bottom of the approval rules in settings and the config file.
Defaults
Most tools default to "*": "allow" for a smooth out-of-the-box experience. Notable exceptions that prompt by default:
.envfiles — reading.envfiles prompts for approval. Files matching*.env.*(e.g.,.env.local,.env.production) also trigger an ask, while*.env.exampleis explicitly allowed.external_directory— accessing files outside the project prompts for approvaldoom_loop— prompts when the agent enters a repeated failure cycle