Local Approvals
Security checks across malware telemetry and agentic risk
Overview
This local-only approval skill largely matches its purpose, but it can let programmatic or agent-driven commands approve requests and persist future auto-approvals, weakening the intended human approval boundary.
Install only if you can ensure approval commands are run by a human, not autonomously by the same agents being approved. Avoid approve --learn for broad categories, periodically review and reset auto-approved categories, and verify the history/audit behavior before relying on it for safety.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or local process able to invoke the skill could potentially approve requests as 'user' and add future auto-approvals, undermining the approval system's purpose.
The approval authority is exposed through a programmatic command, including an arbitrary reviewer label and an option to learn future auto-approvals. For a human-in-the-loop permission gate, this lacks a clear enforced human-only boundary.
python cli.py approve <request_id> [--learn] [--reviewer <name>] ... The CLI is designed to be used both interactively and programmatically.
Use this only where approval commands are restricted to a real human. Disable autonomous model invocation for approval actions if possible, require explicit user confirmation, and do not let general-purpose agents run approve or approve --learn.
A broad or mistaken learned category may cause later operations to be auto-approved without another prompt.
The skill intentionally stores persistent approval policy in local state. This is purpose-aligned and disclosed, but the stored category list can affect future decisions across sessions.
This enables learning from approved decisions - once a category is trusted for an agent, it gets auto-approved in the future. ... state["auto_approve"][agent].append(category)
Use --learn only for narrow, trusted categories, review saved categories regularly, and use the reset command after mistakes or suspicious activity.
You may have less usable audit visibility than the skill description suggests.
The documentation advertises approval history, but the visible decision update path stores decisions in pending.json and the history command reads state.json history. Users should not assume the documented history view is a complete audit trail without testing it.
history = state.get("history", []) ... if not history: print("✓ No approval history found")Verify that history output actually records approvals and denials in your environment, and inspect pending.json/state.json directly if you rely on this for auditability.
The skill may not run as expected unless Python is available, despite registry requirements saying no binaries are needed.
The bundled metadata requires Python, while the registry requirements list no required binaries. This is a metadata consistency issue rather than evidence of malicious installation behavior.
"requires": { "python": ">=3.8", "bins": ["python"] }Confirm Python availability before use and prefer registry metadata that accurately declares runtime requirements.