module 03 permissions safety

When to slow down

System Text-to-Speech Ready
Slide: 0:00 / 0:00
Slide 1 of 0Interactive Deck

Full Lesson Reference

Most permission prompts are routine. Editing a file in your project folder - fine, hit 1. Creating a new report - fine, hit 1. Committing your work - fine.

But some actions deserve 10 seconds of thought before you approve. This lesson teaches you to spot them.

A simple way to think about risk

Claude Code itself doesn't colour-code actions by risk level - that's on you. The traffic-light idea below is a mental model we use for teaching. It's not a feature you'll find in the Claude Code interface, just a shorthand for "green = approve quickly, amber = read first, red = stop and think".

Use it when you're new, drop it once your instincts catch up.

Green - approve quickly

Routine actions inside your project folder. Low risk, easy to undo, no external effects.

  • Creating or editing files in your project folder
  • Reading files to understand context
  • Running local-only commands (ls, cat, grep)
  • Installing standard tools you know and use
  • Committing your work to git (local)

Hit 1 or 2 without overthinking.

Amber - read the prompt, then approve

Actions that touch external systems, make permanent changes, or affect more than your local files. Read what Claude is actually doing before you approve.

  • Pushing to GitHub (other people will see it)
  • Deploying to a live URL
  • Sending data to an API or external service
  • Installing packages you've never heard of
  • Editing files outside your project folder
  • Modifying configur ation files (especially .zshrc, .bashrc, .claude/)

Hit 1 only after you've read what Claude wants to do.

Red - stop and read every word

Actions that are hard to reverse, affect shared infrastructure, or cost money. Read carefully. Say no if anything feels off.

  • Deleting files or folders
  • rm -rf anything
  • Force push (git push --force)
  • Dropping database tables or records
  • Creating or changing ads in any ad platform
  • Sending emails via Klaviyo, Mailchimp, or any provider
  • Charging a credit card or moving money
  • Posting to Slack, LinkedIn, Twitter, or any public channel
  • Changing DNS records or domain settings
  • Anything with the word dangerously in the command

Default to 4 (No, tell Claude what to do differently). Read what Claude wants. Only approve if you're completely sure.

The 3 questions to ask before approving red actions

Before hitting 1 on any red-light action

  1. Is this reversible? If something goes wrong, can you undo it? Deleting files is usually reversible (backup). Force-pushing over shared work is not.
  2. Who sees this? Internal change = lower risk. Public-facing change (live URL, sent email, published post) = much higher risk.
  3. Does this cost money or touch real customers? Campaign budgets, ad accounts, customer emails - always get a second pass before approving.

If any answer is "no / shared / yes", slow down. Approve only when the answers are "yes / internal-only / no".

When you're not sure, ask Claude

You can always ask Claude what it's about to do, why, and what the consequences are. Before approving:

Explain what this command will do and what happens if it fails.

Or

Is this reversible? What's the worst case?

Claude will give you a plain-English walkthrough. Much faster than Googling the command.

Specific rules for marketing work

Three rules to bake in from day one

Never approve ad platform mutations without a review

If Claude wants to create, pause, or change an ad, campaign, or ad set in Google Ads, Meta Ads, LinkedIn, TikTok, or any ad platform - always hit 4 (No) first. Ask Claude to show you the plan. Review the plan. Only approve after you've read what's changing and confirmed the spend impact.

Never approve email sends without a full read

If Claude wants to trigger an email send via Klaviyo, Mailchimp, or any email provider

  • always hit 4 first. Read the email. Confirm the segment. Check the send time. Sends can't be undone once they go out.

Never approve public posts without reviewing the content

If Claude wants to post to Slack, LinkedIn, Twitter, or any public channel - always read the exact text first. Public posts are permanent. Screenshots outlive deletions.

It's free to say no

There's no cost to hitting 4. Claude will explain what it wanted to do and you can decide from there. The worst outcome of saying no is Claude explains itself and you then say yes.

The worst outcome of saying yes blindly is a deleted file, a sent email, a blown budget, or a post you can't unpublish.

Action items

☐ Use the traffic-light mental model (green / amber / red) to judge risk quickly

☐ Memorise the 3 questions: reversible? who sees this? costs money?

☐ Default to 4 (No) on any red-light action until you've read what Claude wants to do ☐ Practice asking Claude "explain what this will do" before approving unfamiliar actions

☐ Lock in the 3 marketing rules: no ad mutations without review, no email sends without full read, no public posts without content check

Next lesson: Auto mode.

Exercises

  1. Review the concepts covered in this lesson: When to slow down.
  2. Write down your key takeaway from this lesson.
  3. Practice running any commands or prompts mentioned above inside your terminal.