Local Approvals
WarnAudited by ClawScan on May 10, 2026.
Overview
This local-only skill does not show data exfiltration, but it exposes approval and auto-approval controls in ways an agent or script could misuse without a verifiable human review.
Install only if you can ensure agents cannot call approve or --learn on their own. Treat the state files as a permission database, review and reset auto-approved categories regularly, and do not rely on the history command for auditing until the implementation is fixed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or script that can invoke this skill could approve a pending request or make a category auto-approved for future requests.
The documented interface supports programmatic approval and auto-learning of approval categories. Because the registry allows model invocation by default, this exposes a high-impact approval tool to agent use unless an external control blocks it.
python cli.py approve <request_id> [--learn] [--reviewer <name>] ... The CLI is designed to be used both interactively and programmatically.
Separate human-only approval commands from agent-callable request/check functions, disable autonomous invocation for approve and --learn actions, and require an explicit user confirmation step.
Approval records could falsely appear to have been made by the user even if a programmatic caller triggered them.
The reviewer identity is a caller-supplied string that defaults to 'user'; the artifacts do not show authentication or proof that a human actually approved the request.
def approve(request_id: str, reviewer: str = "user", auto_learn: bool = False) ... approve_parser.add_argument("--reviewer", default="user", help="Who is approving (default: user)")Do not let callers choose the reviewer identity directly; bind approvals to a real interactive user/session and reject approval attempts from agent-controlled contexts.
If a broad category such as file_write or network is learned incorrectly, future agent actions in that category may bypass normal review.
Auto-approved categories are stored persistently and later trusted by category name. The code does not show expiry, category allowlists, per-operation scoping, or protections against a bad learned category.
return category in agent_approvals ... state["auto_approve"][agent].append(category) ... _save_state(state)
Use narrow operation-level approvals, add expiry and reset controls, require separate confirmation for high-risk categories, and audit changes to auto-approve state.
Users may believe they have a reliable approval audit trail when the CLI history command may show no decisions.
The skill advertises approval history tracking, but the visible history command only reads state.history, while the decision update path shown in core.py saves decisions to pending.json and does not append a history entry.
history = state.get("history", []) ... if not history: print("✓ No approval history found")Implement an append-only decision history or make the history command read decided requests from pending.json; until then, do not rely on the advertised history feature for auditing.