Solutions

Industries

Partners

Resources

Book a Demo

Blog

Table of Content

What is the risk of Claude Dynamic Workflows?

Anthropic is steadily moving Claude Code users toward more autonomous, agentic features that reduce human review and expand the risk surface.

Dynamic Workflows, enabled by default for users across all tenants on June 8, 2026, are the most significant example to date: a single prompt fans out into hundreds of subagents that edit files and run tools with limited per-action approval.

What is a dynamic workflow, and when are they used?

A dynamic workflow is a script that Claude writes that executes in the background to orchestrate subagents at scale without blocking the user's primary session. Anthropic positions them for tasks that "need more agents than one conversation can coordinate", like codebase-wide bug sweeps or research cross-checked across many sources. This allows a single run to dynamically spawn up to 1000 agents as the workflow runs, each reading, writing, and running commands.

An example dynamic workflow executes, orchestrating agents in the background while the user can keep interacting with Claude.
Need to stay up to date when features are automatically enabled?

What is the risk of Dynamic Workflows?

  1. Auto mode is recommended

    Anthropic recommends users operate in auto mode to leverage workflows. This allows an agentic system to determine what commands are safe to run and when to involve a human in the loop. Dynamic workflows release notes state:

    "For the best experience, turn on auto mode when using dynamic workflows."

    In app, if the user is not in auto mode, and a workflow requires a human approval, the permissions pop-up encourages switching to auto mode:

    Permissions modal encourages using auto-mode.
    Automatic Command Execution within Workflows

    In Auto mode, sensitive actions taken by an agent are evaluated by a second classifier agent, which assesses whether the command is safe. This includes operations such as running MCP tools, making network requests, and editing files outside the active project.

    However, this poses a risk as classifier agents can be manipulated by prompt injections to approve malicious commands. This risk is explored in another of our articles, which demonstrates Codex's agent-based approval mode installing malware after ingesting a hidden comment in a GitHub issue.

    Kicking off Workflows Without Human Approval

    When Claude is in auto mode and attempts to run a workflow, by default, the user is prompted for consent prior to the first workflow they ever run, but after that, any workflow in any project or session executes automatically.

    If 'Ultracode' is enabled, workflows execute immediately irrespective whether workflows have been approved before.

    Ultracode is a mode that allows Claude to determine when workflows are warranted, and sets the model's reasoning level to 'xhigh'.

    Documentation describes the one-time consent:

    "First launch only. Any Yes records consent in your user settings, and later launches start without prompting. Skipped entirely when ultracode is on."

    Because these workflows execute without a permissions gate, this opens a new avenue for indirect prompt-injection attacks: manipulating Claude to write malicious workflows and run them. Subagents in the malicious workflow, and the classifiers evaluating their command requests are unlikely to have context on the original prompt injection that created the workflow. This increases the likelihood that malicious commands are executed relative to an injection that attempts to manipulate the classifier in the main Claude session.


  2. Extensive tool allowlisting is common

    As an alternative (or in addition to) using auto-mode, users are encouraged to add commands, MCP tools, web search, and other utilities to an 'always allow' list; this prevents long workflow runs from constantly pausing for approval. The documentation describes pre-approving the tools agents will reach for:

    "Shell commands, web fetches, and MCP tools that aren't in your allowlist can still prompt you mid-run. To avoid this on a long run, add the commands the agents need to your allowlist before starting."

    Users are offered to allowlist tools to prevent agents from requesting manual approval.

    This comes with a significant risk. MCP connectors, web fetches, and other tools can introduce untrusted data and enable actions across third-party applications. We threat model the risk associated with connectors in the following article:


  3. Subagent permissions do not match the documentation

    The documentation states that while Claude is running in interactive mode*, workflow subagents always run in 'acceptEdits' mode:

    *Interactive mode is the default for Claude users, non-interactive mode describes use of Claude via the SDK or with the -p flag.

    "The subagents the workflow spawns always run in acceptEdits mode and inherit your tool allowlist, regardless of your session's mode. File edits are auto-approved."

    AcceptEdits mode allows automatic file edits within the workspace and execution of a limited list of commands. This poses a moderate risk as an agent can modify files in the workspace unexpectedly, and with hundreds of subagents, erroneous or malicious edits can be difficult to identify.

    Furthermore, the documentation is inaccurate: workflow subagents do not run in a fixed acceptEdits mode. They inherit the permission mode of the main session, such as 'Auto mode' or 'BypassPermissions'. This creates a risk when organizations approve workflows for use or when users initiate a workflow, believing that the spawned agents will have limited access. In reality, the subagents can execute sensitive commands and write outside the workspace in accordance with the approval mode in the user's primary session.


  4. Usage Exposure via Parallel Subagent Utilization

    Dynamic Workflows also carry a usage risk. The runtime will spawn up to 1,000 agents per run, and the documentation acknowledges the impact:

    "A workflow spawns many agents, so a single run can use meaningfully more tokens than working through the same task in conversation."

    A mis-scoped or runaway workflow can quickly exhaust a very large token budget, consuming a team's usage and rate limits. Dynamic workflows enable developers to exhaust tens to hundreds of times as many tokens; it can be thought of like running many Claude code sessions in parallel.

Admin options to restrict Dynamic Workflows

Admins can turn Dynamic Workflows off org-wide in three ways:

  • Managed settings: Organization settings → Claude Code → Managed settings (settings.json), and set "disableWorkflows": true.

  • Toggle: Organization settings → Claude Code → toggle off Workflows.

  • By role: Organization settings → People → Roles → edit a role or create a new one → Capabilities → Claude Code → disable Workflows.

Get the exact configurations you need to set for Claude