Auto-approving tools
By default, InsightWorker asks before running any tool that writes (file edits, shell commands, API mutations). Reads and lookups (file reads, search, web fetch) run without prompting.
For trusted apps or daemon mode, you can pre-approve specific tools.
How approval works
When the agent wants to call a write tool, the surface (CLI, VS Code, desktop) shows a confirmation prompt with:
- Tool name (e.g.
bash,edit_file,jira_create_issue) - Parameters (the actual command or diff)
- Buttons: Approve once / Approve always / Reject
Approve once runs this single call. Approve always adds the tool to your auto-approve list for this session and future sessions.
Configure
Edit ~/.insightworker/.env:
# Comma-separated tool names that skip the approval prompt:
AUTO_APPROVE_TOOLS=read_file,grep,list_files,jira_search,jira_issue,sharepoint_list,sharepoint_search,sharepoint_read,perplexity_search
# Or approve everything (NOT RECOMMENDED for non-daemon use):
AUTO_APPROVE_ALL=falsePer-surface override:
| Surface | How to set |
|---|---|
| CLI | --auto-approve <tool>,<tool> flag, or AUTO_APPROVE_TOOLS env var |
| VS Code | Setting insightworker.autoApprove (comma-separated) |
| Desktop | Settings → "Auto-approved tools" |
| Daemon | ~/.insightworker/.env (no UI) |
Recommended baseline
Always-safe to auto-approve (read-only):
read_file, list_files, grep, glob, jira_search, jira_issue, sharepoint_list,
sharepoint_search, sharepoint_read, perplexity_search, web_fetch, mermaid_renderApprove with caution (writes):
edit_file, write_file, bash, jira_create_issue, jira_comment,
graph_send_email, sharepoint_writeDon't auto-approve unless you fully understand what the app will do.
Daemon mode special case
In daemon mode there's no human to prompt — every approval that's not in AUTO_APPROVE_TOOLS causes the run to fail with a clear error. For scheduled apps, set the auto-approve list to the union of every tool the app needs.
A pattern that works: maintain a per-skill auto-approve list in the skill's frontmatter and let the daemon enforce only those. (This is a roadmap feature — for now use a global list.)
Inspecting what tools a skill calls
Before adding tools to your auto-approve list, dry-run the skill to see which tools it actually invokes:
insightworker skill run my-skill --dry-runDry-run lists tool calls without executing writes — see workflows-and-scheduling/dry-run.md.
See also
- loop-detector.md — loop and iteration safety
- tools/overview.md — full tool catalog
- workflows-and-scheduling/daemon-mode.md — unattended runs
Source: docs/permissions-and-safety/auto-approve-tools.md in the public repo. Open a PR with corrections.