← Back to Skills Marketplace
94
Downloads
0
Stars
0
Active Installs
7
Versions
Install in OpenClaw
/install permission-vending-machine
Description
Multi-channel approval system for AI agent permissions. GATES sensitive operations (file deletion, git force-push) behind human approval. Notifies via iMessa...
Usage Guidance
This implementation broadly does what it claims, but several red flags mean you should not install it without review and configuration. Key things to check before installing:
- Verify and lock down the HTTP approval endpoint: by default the daemon binds 0.0.0.0 and the approval handler will approve the most-recent pending request when no token is provided — ensure the server is bound to localhost or to an internal-only interface or protected by authentication/firewall rules, and confirm the server enforces tokens/signatures for approvals.
- Expect to provide several sensitive credentials (IMAP/SMTP password, Sendblue API key, webhook URLs, Telegram bot token). The registry metadata lists none; confirm where you will store these and restrict file permissions. Prefer dedicated service accounts / app-specific passwords and rotate keys.
- Confirm presence and provenance of the sendblue CLI if you enable iMessage: the code calls `sendblue` via subprocess; the registry said no required binaries but the channel depends on it. Installing a CLI without verifying it is risky.
- Review server.py and CallbackHandler.verify_discord_interaction to ensure signature verification is actually enforced for each channel you enable (the code contains a verifier but you must confirm the server uses it and that secrets are configured).
- Audit how approvals are parsed (email/IMAP): email approvals look for plain APPROVE/DENY and an optional token. This works but means anyone who can send mail to the configured mailbox (or compromise it) can grant privileges. Hardening the mailbox and using tokens is strongly recommended.
- Test in an isolated environment first (local VM) and run with minimal channels enabled (e.g., only local Discord webhook or localhost HTTP with auth) before exposing to network or adding real approvers.
Given these mismatches (missing declared requirements vs. real config needs) and the potentially insecure default approval behavior, treat this skill as suspicious and perform the checks above (or request a signed/verified upstream release and provenance) before trusting it on production hosts.
Capability Assessment
Purpose & Capability
The code implements a local multi-channel approval system that matches the SKILL.md purpose (vault, wrappers, IMAP/sendblue/Discord/HTTP approvals). However the registry metadata declares no required env vars or binaries while the project clearly requires API keys, IMAP credentials, webhook URLs and the `sendblue` CLI/binary when those channels are enabled — a mismatch that reduces transparency and is unexpected.
Instruction Scope
Runtime instructions and code ask the agent (or installer) to start a persistent approval daemon, run wrappers that will execute destructive commands when granted, and configure many external channels. More importantly, the HTTP approval handler will approve the most-recent pending request if a token is missing/invalid, and the daemon starts an HTTP server bound to 0.0.0.0 by default — creating an exposed approval surface that could be abused if not properly network-restricted or authenticated. Email/IMAP-based approvals and Sendblue polling will accept plain 'APPROVE' replies from the mailbox/phone, which is expected behavior but means those channels must be tightly controlled.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md and README instruct cloning the GitHub repo and running `pip install -e .` or the included setup wizard. That is typical for an open-source Python tool; no opaque external archive downloads are present. Still, installing a service that listens on a network port and runs continuously is higher-risk than an instruction-only skill — review the code before you pip-install.
Credentials
Although the registry lists no required environment variables or credentials, the project requires multiple sensitive secrets to function: IMAP username/password, SMTP settings, Sendblue API key and CLI binary, Discord/Slack webhook URLs, Telegram bot token, etc. Those are reasonable for multi-channel notifications but the registry should have declared them. Because the skill will store and use those secrets and poll inboxes / invoke a local binary, you should confirm where you place them and that the daemon has minimal access.
Persistence & Privilege
The skill is designed to run as a persistent daemon (launchd/systemd/Windows service) and listens for HTTP callbacks. Although 'always' is false, running as a system service + binding to 0.0.0.0 expands the blast radius. Combined with the code behavior that may approve the most-recent pending request if a token is absent, this is a notable privilege surface that requires careful network and access controls.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install permission-vending-machine - After installation, invoke the skill by name or use
/permission-vending-machine - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.1
- Internal code update in src/pvm/setup_wizard.py.
- No user-facing changes or documentation updates.
v1.1.0
- Added setup wizard module to assist with initial configuration.
- Updated CLI and documentation to reflect new setup process.
- Upgraded dependencies in pyproject.toml.
- Improved onboarding experience for new users.
v1.0.4
- Improved email approval polling logic in the approval system.
- Updated sample configuration in config.example.yaml for clarity.
- Minor code cleanups and enhancements to Sendblue and email poller modules.
v1.0.3
- Updated README.md for improved documentation clarity and setup instructions.
- No code or feature changes; this version contains documentation improvements only.
v1.0.2
- Updated README.md with clarifications and expanded setup instructions.
- No functional or code changes; documentation only.
v1.0.1
- Updated documentation in PLATFORMS.md for platform-specific setup details.
- No changes to code or user-facing features.
v1.0.0
Initial release of Permission Vending Machine (PVM).
- Introduces a multi-channel approval system for AI agent permissions, gating sensitive actions like file deletion and git force-push.
- Notifies approvers via iMessage, Email, Discord, Telegram, and Slack, enforcing time-limited human grants before execution of destructive commands.
- Provides command-line tools for requesting, approving, revoking, and auditing permissions.
- Includes safe wrappers for commands (e.g., safe-rm, safe-git-push) to ensure guarded operations.
- Supports macOS, Linux, and Windows with platform-specific setup instructions.
Metadata
Frequently Asked Questions
What is Permission Vending Machine?
Multi-channel approval system for AI agent permissions. GATES sensitive operations (file deletion, git force-push) behind human approval. Notifies via iMessa... It is an AI Agent Skill for Claude Code / OpenClaw, with 94 downloads so far.
How do I install Permission Vending Machine?
Run "/install permission-vending-machine" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Permission Vending Machine free?
Yes, Permission Vending Machine is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Permission Vending Machine support?
Permission Vending Machine is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Permission Vending Machine?
It is built and maintained by Tyler (@tylerdotai); the current version is v1.1.1.
More Skills