ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Veto Approval (Human-in-the-Loop)

v1.0.0

Pause your agent for human approval before high-risk actions.

0· 107·0 current·0 all-time
by@mrchop

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for mrchop/veto-approval.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Veto Approval (Human-in-the-Loop)" (mrchop/veto-approval) from ClawHub.
Skill page: https://clawhub.ai/mrchop/veto-approval
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install veto-approval

ClawHub CLI

Package manager switcher

npx clawhub@latest install veto-approval
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, SKILL.md, README, and veto_skill.py all consistently implement a human-approval (veto) flow that sends an approval email and polls vetoapi.com for the decision. The requested capability matches the implementation. Note: the registry metadata incorrectly lists no required environment variables, but the skill actually requires VETO_API_KEY.
Instruction Scope
SKILL.md and the code limit actions to sending a request to vetoapi.com (action_title, user_email, context) and polling for the decision. The code loads a .env file (via python-dotenv) and blocks (polls every 5s) until approval or rejection. This behavior is within the stated purpose, but the indefinite blocking/polling can hang agents and there is network transmission of the API key and request data to an external service.
Install Mechanism
There is no install spec in the registry (instruction-only), but README and the code require third-party packages (requests, python-dotenv). Lack of an install spec means the runtime must already provide those packages or the skill will fail; no downloads or obscure hosts are used. BASE_URL points to vetoapi.com, a single, explicit endpoint.
!
Credentials
The skill requires a single API secret (VETO_API_KEY) which is proportionate to its function, but the registry metadata advertises no required env vars or primary credential while the SKILL.md/README and code require VETO_API_KEY. The code reads .env (which may contain other secrets) and sends the API key to an external service; users must trust vetoapi.com with the key. The metadata omission is an incoherence that reduces transparency.
Persistence & Privilege
The skill does not request permanent installation privileges (always: false), does not modify other skills or system-wide settings, and does not persist credentials beyond using the API key to call the external API.
What to consider before installing
This skill appears to do what it claims (send an approval email and wait for a decision), but beware of three practical issues before installing: (1) Metadata mismatch — the registry lists no required env vars even though the code and docs require VETO_API_KEY; confirm you supply the key only if you trust vetoapi.com. (2) Packaging gap — there is no install spec; you must ensure requests and python-dotenv are available in your runtime environment. (3) Operational behavior — the function blocks and polls indefinitely (every 5s) while waiting for approval, which can hang agents; consider adding timeouts or safeguards. Recommended steps: verify the vendor (vetoapi.com) and its privacy/security policy, test with a non-production/test API key, run the module in an isolated environment, confirm your agent correctly handles a False return or connection errors, and consider adding a polling timeout or explicit cancel behavior before using in production.

Like a lobster shell, security has layers — review code before you run it.

human-in-the-loopvk9776axhg41xatn1fccmanegf983h6tylatestvk9776axhg41xatn1fccmanegf983h6tysafetyvk9776axhg41xatn1fccmanegf983h6ty
107downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@mrchop
human-in-the-looplatestsafety
Download

Veto Approval Skill

This skill allows your agent to send a 1-click approval email to you before proceeding with sensitive tasks.

Setup

  1. Get your API Key at vetoapi.com
  2. Add VETO_API_KEY to your environment.

Usage

from veto_skill import ask_human_permission

approved = ask_human_permission(
    action_title="Send invoice for $5,000 to Client X",
    user_email="boss@company.com",
    context="Monthly retainer — Q1 2026"
)

if approved:
    send_invoice()
else:
    print("Action blocked by human.")

How it works

  1. Your agent calls ask_human_permission()
  2. An approval email with Approve and Reject buttons is sent to user_email
  3. The function blocks until a decision is made (polls every 5 seconds)
  4. Returns True if approved, False if rejected

Comments

Loading comments...