2026-01-27 · Authensor

How to Safely Use GitHub Copilot Agent Mode

To safely use GitHub Copilot Agent Mode, add SafeClaw action-level gating. Install with npx @authensor/safeclaw and define a deny-by-default policy that controls which files the agent can modify, which terminal commands it can execute, and which extensions it can invoke. Copilot Agent Mode in VS Code operates as an autonomous coding assistant — it plans multi-step changes, edits files across your workspace, runs terminal commands, and iterates on errors without requiring approval for each individual action.

What GitHub Copilot Agent Mode Can Do (And Why That's Risky)

Copilot Agent Mode extends beyond inline suggestions. When activated, it can:

Edit multiple files simultaneously — the agent proposes and applies multi-file diffs. A single prompt like "add authentication" can modify route handlers, middleware, database models, and configuration files across your project.
Run terminal commands — the agent executes commands in VS Code's integrated terminal. It runs build tools, test suites, linters, package managers, and arbitrary shell commands.
Iterate autonomously — when a command fails (tests fail, build errors), the agent reads the error output, modifies code, and retries. This loop runs without returning control to you.
Use MCP tools and extensions — Copilot can invoke tools from installed VS Code extensions and MCP servers. Each extension adds capabilities the agent can call.
Read your entire workspace — the agent uses workspace context including files you may not intend to share: .env files, private keys, internal documentation, and credentials stored in config files.
Create and delete files — the agent generates new files (components, tests, configs) and can remove files it considers obsolete.
Access GitHub APIs — through Copilot extensions and built-in GitHub integration, the agent can interact with issues, pull requests, and repository settings.

Copilot Agent Mode includes a confirmation step for terminal commands, but code edits are applied directly. Once you approve a terminal command category (like "npm commands"), subsequent commands in that category proceed without asking.

Step-by-Step Setup

Step 1: Install SafeClaw

npx @authensor/safeclaw

Select MCP Server as the integration type. VS Code supports MCP servers that Copilot Agent Mode can interact with.

Step 2: Get Your API Key

Go to safeclaw.onrender.com and create a free-tier key. Renewable every 7 days, no credit card required.

Step 3: Add SafeClaw as an MCP Server

In your VS Code workspace, create or edit .vscode/mcp.json:

{
  "servers": {
    "safeclaw": {
      "command": "npx",
      "args": ["@authensor/safeclaw", "serve", "--mode", "mcp"],
      "env": {
        "SAFECLAW_API_KEY": "your-key-here"
      }
    }
  }
}

Alternatively, add it globally via VS Code settings:

{
  "github.copilot.chat.mcpServers": {
    "safeclaw": {
      "command": "npx",
      "args": ["@authensor/safeclaw", "serve", "--mode", "mcp"],
      "env": {
        "SAFECLAW_API_KEY": "your-key-here"
      }
    }
  }
}

Step 4: Define Your Policy

Create safeclaw.policy.yaml in your project root:

version: 1 default: deny rules: - action: file_read path: "${PROJECT_DIR}/**" effect: allow - action: file_read path: "*/.env" effect: deny - action: file_read path: "*/secret*" effect: deny - action: file_read path: "*/.pem" effect: deny - action: file_write path: "${PROJECT_DIR}/src/**" effect: allow - action: file_write path: "${PROJECT_DIR}/tests/**" effect: allow - action: file_write path: "${PROJECT_DIR}/package.json" effect: allow - action: file_write path: "${PROJECT_DIR}/tsconfig.json" effect: allow - action: file_write path: "${PROJECT_DIR}/.github/**" effect: deny - action: shell_exec command: "npm test*" effect: allow - action: shell_exec command: "npm run*" effect: allow - action: shell_exec command: "npm install*" effect: allow - action: shell_exec command: "npx*" effect: allow - action: shell_exec command: "git status*" effect: allow - action: shell_exec command: "git diff*" effect: allow - action: shell_exec command: "git push --force*" effect: deny - action: shell_exec command: "rm -rf*" effect: deny - action: network host: "registry.npmjs.org" effect: allow - action: network host: "api.github.com" effect: allow

- action: network host: "*" effect: deny

Step 5: Simulate First

npx @authensor/safeclaw simulate --policy safeclaw.policy.yaml

Run a typical Copilot Agent Mode session. Review all logged verdicts. Refine your rules. Switch to enforcement.

What Gets Blocked, What Gets Through

ALLOWED — Agent edits a source file:

{ "action": "file_write", "path": "/project/src/auth/middleware.ts", "verdict": "ALLOW" }

DENIED — Agent modifies GitHub Actions workflow:

{ "action": "file_write", "path": "/project/.github/workflows/ci.yml", "verdict": "DENY", "reason": "path matches .github/** deny rule" }

ALLOWED — Agent runs test suite after code changes:

{ "action": "shell_exec", "command": "npm test -- --watch", "verdict": "ALLOW" }

DENIED — Agent reads private key for TLS context:

{ "action": "file_read", "path": "/project/certs/server.pem", "verdict": "DENY", "reason": "path matches */.pem deny rule" }

DENIED — Agent tries to force-push:

{ "action": "shell_exec", "command": "git push --force origin main", "verdict": "DENY", "reason": "git push --force* matches deny rule" }

Without SafeClaw vs With SafeClaw

| Scenario | Without SafeClaw | With SafeClaw |
|---|---|---|
| Agent modifies CI/CD pipeline after "improve deployment" prompt | .github/workflows/ci.yml rewritten | Blocked — .github/** is denied for writes |
| Agent reads .env.local for configuration context | Environment variables in model context | Blocked — .env* path denied |
| Agent runs rm -rf dist/ to clean before rebuild | Command executes; path misinterpretation risk | Blocked — rm -rf* matches deny rule |
| Agent creates new test file in tests/ | File created normally | Allowed — tests/** in write allowlist |
| Agent iterates: edit code, npm test, read error, edit again | Full loop runs uninterrupted | Each action in the loop is individually evaluated |

SafeClaw evaluates policies in sub-millisecond time. Every action — allowed or denied — is recorded in a tamper-proof audit trail (SHA-256 hash chain). The control plane sees only action metadata, never your code or credentials. The client is 100% open source under MIT license, built with zero third-party dependencies, and backed by 446 tests under TypeScript strict mode.

Cross-References

What is SafeClaw? — How deny-by-default action gating works
How to Safely Use Cursor Agent Mode — Similar IDE-based agent with MCP integration
How to Safely Use Claude Code — CLI-based coding agent safety
How to Safely Run MCP Tool Servers — MCP server gating details
How to Safely Use Windsurf Cascade Agent — Another IDE agent with similar capabilities

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw