What does Claude Code's --safe-mode flag do?

It launches Claude Code with all customizations disabled. Specifically: no custom Skills loaded, no MCP servers connected, no project-level CLAUDE.md instructions applied, the .claude/agents directory ignored, and no slash-command overrides. The result is vanilla Claude Code with only Anthropic's built-in behavior. The flag was added in v2.1.169 (June 8, 2026). The equivalent environment variable is CLAUDECODESAFEMODE. Practically: claude --safe-mode is what you run when you want to debug whether a Claude Code issue is in core or in your customizations, or when you want a session with no project-specific instructions for safety-sensitive work where you don't want loaded prompts to influence the conversation.

When should I use --safe-mode for debugging?

Use --safe-mode any time Claude Code behaves unexpectedly and you're not sure if the issue is in Claude Code core or in your customizations. Three common cases. (1) Claude is taking suspicious actions or making decisions you didn't expect — --safe-mode tells you if a Skill or CLAUDE.md instruction is misleading it. (2) Claude is hanging or returning errors — --safe-mode rules out an MCP server timing out or a Skills handler crashing. (3) Slash commands aren't working — --safe-mode rules out a custom slash-command override. The mental model: --safe-mode is the bisect step. Reproduce the issue in --safe-mode. If it still happens, the issue is in Claude Code core (file a bug). If it doesn't happen in --safe-mode, the issue is in your customizations (bisect among your Skills, MCP servers, and CLAUDE.md to find which one).

When should I use --safe-mode for safety-sensitive work?

Use --safe-mode when you want a fully isolated Claude Code session with no risk of pre-loaded instructions affecting the conversation. Three scenarios. (1) Sensitive client work where you don't want generic project instructions accidentally surfacing in conversations or outputs. (2) Security audits or pen-testing-adjacent work where you want zero ambient context. (3) Investigating a possible prompt injection — if you suspect something in your Skills, CLAUDE.md, or MCP server outputs has been crafted to manipulate Claude, --safe-mode strips all of those out so you can debug clean. Note: --safe-mode doesn't make Claude Code more secure in the traditional sense; it just isolates the session from your customizations. For genuinely security-sensitive work, also consider running Claude Code in a sandboxed environment with restricted file system access.

How does --safe-mode differ from just deleting my CLAUDE.md?

Two important differences. (1) Scope — --safe-mode disables CLAUDE.md plus Skills plus MCP servers plus the agents directory plus slash-command overrides, all at once. Deleting CLAUDE.md only disables one of those. To match --safe-mode's effect without the flag you'd have to disable all of them manually, which is fragile and reversible by accident. (2) Reversibility — --safe-mode is per-session. Quit Claude Code without the flag and your customizations are back. Deleting CLAUDE.md is permanent. For debugging, --safe-mode is strictly better than the manual equivalent. For long-term cleanup, you might still want to actually delete or refactor the customizations after using --safe-mode to confirm one of them is the problem.

Quick Answer

Claude Code --safe-mode Flag: When and Why to Use It (June 2026)

Published: June 16, 2026

Claude Code —safe-mode Flag: When and Why to Use It (June 2026)

Claude Code v2.1.169 (June 8, 2026) added the —safe-mode flag, which launches Claude Code with all customizations disabled. This page covers what —safe-mode actually disables, the debugging scenarios it solves, the safety-sensitive scenarios it enables, and when to use it vs other approaches.

Last verified: June 16, 2026.

TL;DR

What: Launch Claude Code with all customizations off — no Skills, no MCP servers, no CLAUDE.md, no agents directory, no slash-command overrides.
How: claude --safe-mode or set env var CLAUDECODESAFEMODE=1.
When for debugging: Any time Claude Code behaves unexpectedly and you need to bisect core vs customizations.
When for safety: Any session where you want full isolation from project context — sensitive client work, security audits, prompt-injection investigation.
Alternatives: Sometimes still useful to actually delete the customization that’s causing problems after —safe-mode confirms it.

What —safe-mode actually disables

Per the Claude Code v2.1.169 release notes:

Customization	Disabled?
Custom Skills (`.claude/skills/`)	Yes
MCP server connections (`.mcp.json`)	Yes
Project CLAUDE.md	Yes
`.claude/agents/` directory	Yes
Custom slash-command overrides	Yes
User-level claude.md	Yes
Built-in slash commands	No, still work
Built-in tools (Read, Write, Edit, exec, etc.)	No, still work
Anthropic system prompt	No, still active

So you get vanilla Claude Code — the built-in behavior, no project or user customizations layered on. Quitting without the flag restores everything to normal.

Debugging scenarios where —safe-mode helps

Scenario 1: Claude is making weird decisions

You ask Claude Code to refactor a function and it tries to delete the entire file. You ask it to add tests and it modifies unrelated code. You ask it to commit and it pushes to main against your wishes.

Root cause is almost always a Skill or CLAUDE.md instruction telling Claude to do something you forgot you wrote. Run with —safe-mode. If the weird behavior goes away, you know it’s a customization. Bisect by re-enabling things one at a time. The fastest bisect: start by adding back just CLAUDE.md (the highest-frequency culprit), then Skills, then MCP servers, then agents.

Scenario 2: Claude is hanging or timing out

Claude Code hangs on startup, or takes 30 seconds to respond to the first prompt, or returns mysterious errors. Run with —safe-mode. If startup is now fast, you have an MCP server that’s slow or crashing. Disconnect MCP servers one by one (or check the .mcp.json file for ones you don’t recognize) to find the culprit.

This was a common debugging path even before —safe-mode existed; the difference is —safe-mode is now the one-step diagnostic instead of manually editing config files.

Scenario 3: Slash commands don’t work

You type /something and either get an error or nothing happens. Custom slash-command overrides in .claude/commands/ can shadow built-in commands. Run with —safe-mode to confirm whether the issue is in your override or in the built-in.

Scenario 4: Skills not loading when expected

You expected a Skill to load on a particular kind of task and it didn’t. Run with —safe-mode (which disables Skills entirely) to confirm Claude’s default behavior on the task, then run without —safe-mode to see what the Skill changes. The before-after comparison tells you whether the Skill is loading at all and whether its instructions are having the intended effect.

Safety-sensitive scenarios where —safe-mode helps

Sensitive client work

You’re working on a project for Client A, your CLAUDE.md and Skills reference Client A’s stack, conventions, and people. You want to spin up a Claude Code session for Client B without any of that context bleeding in. Run —safe-mode. Vanilla Claude Code with no project context. When you’re done, quit without the flag and your customizations come back for the next session.

Security audits or pen-testing adjacent work

You want zero ambient context for an audit. You don’t want Claude to pre-load assumptions about the codebase that might mask vulnerabilities. —safe-mode strips all of that.

This is not the same as Claude being more secure; —safe-mode doesn’t change Anthropic’s underlying safety behaviors. It just removes your project customizations from the context. For genuinely security-sensitive work, layer —safe-mode with a sandboxed environment, restricted filesystem access, and explicit pre-prompt-injection mitigations.

Investigating prompt injection

You suspect a Skill, CLAUDE.md, or MCP server output is doing prompt-injection-style manipulation. Run —safe-mode. If the weird behavior goes away, the injection vector is in your customizations. Bisect to find it.

Prompt injection through MCP servers specifically is an underrated risk in mid-2026. MCP servers return tool outputs that get spliced into Claude’s context. A malicious or compromised MCP server can return outputs crafted to manipulate Claude. —safe-mode is the diagnostic step that rules this out.

When —safe-mode is the wrong answer

When you want to selectively disable just one customization

—safe-mode is the nuclear option. If you only want to disable Skills (and keep MCP servers and CLAUDE.md), you’ll need to manually move the .claude/skills/ directory aside or use the per-Skill enable/disable. —safe-mode disables everything; that’s not always what you want.

When you want to keep customizations but reset Claude’s context

Sometimes Claude has loaded a bad assumption mid-session and you want to start fresh. —safe-mode helps if the bad assumption came from a customization; it doesn’t help if the bad assumption was generated inside the conversation itself. For mid-session context reset, you just need a new session, with or without —safe-mode.

When the actual issue is the model or rate limits

—safe-mode disables your customizations but does not change which model Claude Code is using or whether Anthropic’s API is responding. If you’re hitting elevated errors (see status.claude.com), —safe-mode won’t help. Diagnose the model/API issue first.

How to use it in practice

The minimal commands:

# Launch with safe-mode
claude --safe-mode

# Or with env var
CLAUDECODESAFEMODE=1 claude

# Verify by checking what Claude knows about your project
> What do you know about this project from CLAUDE.md or Skills?

In safe-mode, the third command should produce a response indicating no project-specific knowledge is loaded. If Claude still reports knowing your project, something is wrong with —safe-mode itself (or there’s a customization location it doesn’t recognize). File a bug.

Workflow recommendation

For debugging unexpected behavior:

Reproduce the issue without —safe-mode (you already did this when you noticed it).
Run the same task with —safe-mode.
If reproduces in —safe-mode: it’s a Claude Code core issue. File a bug at the Claude Code repo with the exact reproduction.
If doesn’t reproduce in —safe-mode: it’s in your customizations. Bisect — re-enable CLAUDE.md, then Skills, then MCP servers, then agents, running the task each time. The first customization that brings the issue back is the culprit.
Fix the culprit. Re-test without —safe-mode to confirm fixed.

This is the standard bisect debugging workflow. —safe-mode just makes the “everything off” step easy.

Bottom line

—safe-mode is a small feature that solves a real debugging problem. It is the bisect step you reach for when Claude Code is misbehaving and you don’t know if the issue is core or customizations. It is also useful as a session-isolation tool for sensitive work where you don’t want project context loaded.

It is not a magic safety button. It does not make Claude Code more secure in the traditional sense — it just isolates your customizations. For genuinely security-sensitive work, combine it with sandboxed environments and explicit defenses against the prompt-injection vectors that MCP servers can introduce.

Use it. It’s a five-character flag that saves you hours when something goes weird.