Grok CLI Manual

Permissions and Safety

Grok can edit files and run commands. Choose an approval mode based on whether the project is trusted and recoverable.

Common local configuration

[ui]
max_thoughts_width = 120
yolo = true
compact_mode = false
permission_mode = "always-approve"

This configuration suits a trusted personal development environment because Grok can run tools continuously. It also means file changes and commands no longer wait for approval one by one.

Use it only when:

  • The repository and its instruction files are trusted.
  • Git or another version-control system protects the working tree.
  • You are not running directly on a production host, critical database, or secret-heavy environment.
  • You review the diff and run relevant tests after changes.

Tighten or relax one run

Plan without direct execution:

grok --permission-mode plan

Auto-approve only this run:

grok --always-approve

The CLI also provides --allow, --deny, --sandbox, and --disallowed-tools for finer control over tools and execution scope. Prefer plan mode or explicit allow/deny rules for unfamiliar projects.