Agent Access Control
v1.0.1Tiered stranger access control for AI agents. Use when setting up contact permissions, handling unknown senders, managing approved contacts, or configuring s...
⭐ 0· 1.3k·7 current·8 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the actual behavior: tiered contact management, deflection message, owner approval flow, rate-limiting, and local audit logging. The required artifacts (memory JSON, notifyChannel/notifyTarget) are appropriate for this purpose. There are no unrelated env vars, binaries, or install steps demanded by the skill.
Instruction Scope
SKILL.md gives concrete runtime steps (normalize IDs, check owner/blocked/approved, run stranger flow, update memory files, log audit entries). This is within scope, but a few instructions are vague and worth attention: (1) 'Notify owner' assumes the agent will deliver a message via an existing messaging integration but does not specify how to detect or sanitize 'suspicious links' (it says not to forward verbatim but doesn't define the detection). (2) The skill instructs storing message excerpts and notifying owners, which is expected for access control but is a potential privacy-leak vector if operator expectations differ. (3) Tier enforcement forbids tool use for chat-only contacts while the overall skill still requires writing and reading memory/log files for bookkeeping — this is logically consistent (management writes happen outside chat responses) but should be understood by operators.
Install Mechanism
No install spec; only an innocuous helper script that initializes a JSON config in the agent 'memory' directory. No downloads, no external URLs, and no extraction steps. Minimal disk writes are limited to memory files that the skill intentionally manages.
Credentials
Skill declares no required env vars or credentials, which is proportionate. However, its notification and messaging behaviors implicitly rely on the agent having platform credentials/integrations (Telegram/WhatsApp/Discord/Signal). The skill does not request or store those credentials itself — operators must ensure those integrations exist and are secured elsewhere. Also note the skill will store sender message excerpts and owner IDs in local memory files.
Persistence & Privilege
always is false and the skill does not request elevated persistence or modify other skills. It creates and updates its own memory/config and an audit log in the agent's memory directory, which is normal for this functionality.
Assessment
This skill appears to do what it says: manage stranger/owner/trusted tiers and keep local logs. Before installing: 1) Confirm your agent already has the messaging integrations and credentials (Telegram/WhatsApp/Discord/Signal) needed to send owner notifications — the skill does not include or request these credentials. 2) Decide what level of message excerpting you are comfortable storing and notifying the owner about (the skill stores first-chars of messages); if messages can contain sensitive content, adjust the excerpting and sanitization. 3) Define how 'suspicious links' will be detected or filtered, since the instructions say not to forward verbatim but provide no detection rules. 4) Ensure memory/ is gitignored and access to the agent's filesystem is restricted, because owner IDs, pending approvals, and logs are stored there. 5) Test the flow with dummy IDs to confirm notifications and approval commands behave as you expect before deploying to real users.Like a lobster shell, security has layers — review code before you run it.
latestvk9725ngzjpdkmntck0ycszep718146cj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.