Permission Vending Machine
v1.1.1Multi-channel approval system for AI agent permissions. GATES sensitive operations (file deletion, git force-push) behind human approval. Notifies via iMessa...
⭐ 0· 14·0 current·0 all-time
byTyler@tylerdotai
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code implements a local multi-channel approval system that matches the SKILL.md purpose (vault, wrappers, IMAP/sendblue/Discord/HTTP approvals). However the registry metadata declares no required env vars or binaries while the project clearly requires API keys, IMAP credentials, webhook URLs and the `sendblue` CLI/binary when those channels are enabled — a mismatch that reduces transparency and is unexpected.
Instruction Scope
Runtime instructions and code ask the agent (or installer) to start a persistent approval daemon, run wrappers that will execute destructive commands when granted, and configure many external channels. More importantly, the HTTP approval handler will approve the most-recent pending request if a token is missing/invalid, and the daemon starts an HTTP server bound to 0.0.0.0 by default — creating an exposed approval surface that could be abused if not properly network-restricted or authenticated. Email/IMAP-based approvals and Sendblue polling will accept plain 'APPROVE' replies from the mailbox/phone, which is expected behavior but means those channels must be tightly controlled.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md and README instruct cloning the GitHub repo and running `pip install -e .` or the included setup wizard. That is typical for an open-source Python tool; no opaque external archive downloads are present. Still, installing a service that listens on a network port and runs continuously is higher-risk than an instruction-only skill — review the code before you pip-install.
Credentials
Although the registry lists no required environment variables or credentials, the project requires multiple sensitive secrets to function: IMAP username/password, SMTP settings, Sendblue API key and CLI binary, Discord/Slack webhook URLs, Telegram bot token, etc. Those are reasonable for multi-channel notifications but the registry should have declared them. Because the skill will store and use those secrets and poll inboxes / invoke a local binary, you should confirm where you place them and that the daemon has minimal access.
Persistence & Privilege
The skill is designed to run as a persistent daemon (launchd/systemd/Windows service) and listens for HTTP callbacks. Although 'always' is false, running as a system service + binding to 0.0.0.0 expands the blast radius. Combined with the code behavior that may approve the most-recent pending request if a token is absent, this is a notable privilege surface that requires careful network and access controls.
What to consider before installing
This implementation broadly does what it claims, but several red flags mean you should not install it without review and configuration. Key things to check before installing:
- Verify and lock down the HTTP approval endpoint: by default the daemon binds 0.0.0.0 and the approval handler will approve the most-recent pending request when no token is provided — ensure the server is bound to localhost or to an internal-only interface or protected by authentication/firewall rules, and confirm the server enforces tokens/signatures for approvals.
- Expect to provide several sensitive credentials (IMAP/SMTP password, Sendblue API key, webhook URLs, Telegram bot token). The registry metadata lists none; confirm where you will store these and restrict file permissions. Prefer dedicated service accounts / app-specific passwords and rotate keys.
- Confirm presence and provenance of the sendblue CLI if you enable iMessage: the code calls `sendblue` via subprocess; the registry said no required binaries but the channel depends on it. Installing a CLI without verifying it is risky.
- Review server.py and CallbackHandler.verify_discord_interaction to ensure signature verification is actually enforced for each channel you enable (the code contains a verifier but you must confirm the server uses it and that secrets are configured).
- Audit how approvals are parsed (email/IMAP): email approvals look for plain APPROVE/DENY and an optional token. This works but means anyone who can send mail to the configured mailbox (or compromise it) can grant privileges. Hardening the mailbox and using tokens is strongly recommended.
- Test in an isolated environment first (local VM) and run with minimal channels enabled (e.g., only local Discord webhook or localhost HTTP with auth) before exposing to network or adding real approvers.
Given these mismatches (missing declared requirements vs. real config needs) and the potentially insecure default approval behavior, treat this skill as suspicious and perform the checks above (or request a signed/verified upstream release and provenance) before trusting it on production hosts.Like a lobster shell, security has layers — review code before you run it.
agentaiapprovallatestpermissionssecurity
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Permission Vending Machine (PVM)
Multi-channel approval system for AI agent permissions.
Gates sensitive operations (file deletion, git force-push, etc.) behind a human approver. Notifies via iMessage/SMS, Email, Discord, Telegram, or Slack — and enforces grants before running dangerous commands.
When to use
Use when an AI agent needs to perform an operation that could be destructive:
- Deleting files or directories
- Force-pushing to git repositories
- Moving files to trash outside the agent's workspace
Quick Setup
# 1. Install
git clone https://github.com/tylerdotai/permission-vending-machine.git
cd permission-vending-machine
pip install -e .
# 2. Configure
cp config.example.yaml config.yaml
# Edit config.yaml with your API keys
# 3. Start the daemon (macOS)
launchctl load ~/Library/LaunchAgents/ai.flume.pvm.plist
# 4. Agent requests permission
pvm request --scope "/tmp/build" --reason "cleaning artifacts" --duration 5
# 5. Approver approves via iMessage, email, or Discord link
# 6. Agent runs guarded command
safe-rm -rf /tmp/build
How it works
Agent → pvm request → Vault (pending) → Notify all channels
↓
Approver approves via any channel
↓
Grant created → Agent unblocks → safe-* command executes
Approval Methods
| Method | How to approve |
|---|---|
| iMessage | Reply APPROVE (no token needed) |
Reply APPROVE in the approval email | |
| Discord | Click "Click to approve" link |
| HTTP | curl http://host:7823/approve/<token> |
Configuration
Key settings in config.yaml:
channels:
sendblue: # macOS only — iMessage via CLI
enabled: true
from_number: "+1..."
approver_numbers: ["+1..."]
email: # cross-platform
enabled: true
imap_host: "imap.example.com"
username: "user"
password: "pass"
discord: # cross-platform
enabled: true
webhook_url: "https://discord.com/api/webhooks/..."
http_approval_base: "http://your-server:7823"
CLI Commands
pvm request --scope <path> --reason <text> --duration <min> # Request approval
pvm status --agent-id <id> # List active grants
pvm revoke --grant-id <id> # Revoke early
pvm log --limit 50 # Audit log
pvm serve --port 7823 # HTTP server
pvm approve-daemon --port 7823 # Full daemon
Wrappers
Prepend safe- to guarded commands:
safe-rm -rf /path— checks path scope grantsafe-git-push --force— checks repo scope grantsafe-trash /path— checks path scope grant
Platforms
- macOS: launchd service, Sendblue iMessage works
- Linux: systemd service, use Discord/email/Telegram for approvals
- Windows: NSSM/Task Scheduler, use Discord/email/Telegram
See docs/PLATFORMS.md for detailed setup per platform.
Links
Files
32 totalSelect a file
Select a file to preview.
Comments
Loading comments…