Description

Request human approval via biometric auth before performing sensitive actions. Use this skill whenever an action is irreversible, destructive, or requires hu...

README (SKILL.md)

AgentMFA Skill

Name: AgentMFA
Author: leiarenee

AgentMFA does not execute actions. It pauses your agent and requests biometric approval from the human operator's mobile app. The agent only proceeds — or aborts — based on the human's decision.

Use this skill before performing any sensitive or irreversible action. The human operator will receive a push notification, review the action, and approve or reject it with biometrics.

About AgentMFA

Operator: AgentMFA (https://agentmfa.ai)
MCP server: Local binary (@agentmfa/mcp) that runs on your machine and makes outbound HTTPS calls to api.agentmfa.ai
Auth: Requires AGENTMFA_API_KEY set in your shell environment — obtain from the AgentMFA dashboard after signing up
Privacy & security policy: https://agentmfa.ai/privacy
Source code: https://github.com/agentmfa/agentmfa-integrations (fully open source — MCP server source is in mcp/)

The MCP server must be configured in your agent runtime before this skill can be used. See the setup instructions at https://github.com/agentmfa/agentmfa-integrations.

For production use, pin the MCP server to a specific version rather than using latest:

npx @agentmfa/[email protected]

Review the package source at https://github.com/agentmfa/agentmfa-integrations/tree/main/mcp before installing. To verify the binary matches the published source, check the SHA256 hash against checksums.txt in the GitHub release:

sha256sum $(which agentmfa-mcp)

When to Use

Deleting or modifying production data
Deploying code to production
Sending emails or messages on behalf of the user
Actions that could result in financial charges or transactions
Modifying infrastructure (cloud resources, DNS, etc.)
Any action explicitly marked as requiring human approval

How to Use

This skill uses the AgentMFA MCP server tools. The MCP server handles all API communication — your agent code makes only tool calls, no direct HTTP calls. The MCP server requires AGENTMFA_API_KEY to be set in your shell environment.

Standard flow (blocking)

1. Call request_approval(action, context, risk_level)
   → returns { id, status: "pending", expires_at, ... }

2. Call wait_for_approval(request_id: \x3Cid from step 1>)
   → blocks until human decides (polls every 3s)
   → returns { status: "approved", code: "..." }
          or { status: "rejected" }
          or { status: "expired" }

3a. status == "approved"  → proceed; treat the code as a sensitive one-time token
3b. status == "rejected"  → abort; inform the user
3c. status == "expired"   → abort; treat as rejected

Non-blocking check

If you need to do other work while waiting, use check_approval_status(request_id) to poll manually instead of wait_for_approval.

Rules

Always wait for approval before proceeding — never skip or assume approval
Abort on rejection — do not retry the same action without user re-initiation
Abort on expiry — a timed-out request is treated as rejected
Be specific — action and context should give the human enough detail to decide
Handle the code carefully — the one-time approval code returned on approval is a sensitive one-time token; do not write it to logs or external systems

MCP Tools

Tool	Purpose
`request_approval(action, context?, risk_level?)`	Submit approval request, returns request ID
`wait_for_approval(request_id, timeout_seconds?)`	Block until decided, returns status + code
`check_approval_status(request_id)`	Single non-blocking poll

Usage Guidance

This skill appears coherent, but verify before installing: 1) Inspect the npm package source (github link) and pin to a specific release (do not use unpinned npx latest). 2) Verify the binary checksum after installation to ensure it matches the release. 3) Review the privacy/security policy and what fields (action, context) are sent to api.agentmfa.ai — avoid including secrets or full sensitive payloads in the context. 4) Limit the AGENTMFA_API_KEY scope if possible and rotate keys regularly. 5) Consider running the MCP binary in a restricted environment (limited network access/logging) while you evaluate its behavior. 6) If you require higher assurance, perform an internal code audit of the mcp/ subdirectory and review the npm package's maintainers and release history.

Capability Analysis

Type: OpenClaw Skill Name: agentmfa Version: 1.0.11 The agentmfa skill implements a human-in-the-loop approval system using an MCP server (@agentmfa/mcp) to gate sensitive agent actions behind biometric authentication. The documentation in SKILL.md and the reference files provide clear, security-conscious instructions for the AI agent, including mandatory approval checks and error handling. No evidence of malicious behavior, data exfiltration, or prompt injection was found.

Capability Tags

cryptocan-make-purchasesrequires-sensitive-credentials

Capability Assessment

✓ Purpose & Capability

The skill is an MFA/approval gateway and requires a local MCP binary (installed from an npm package) and an AGENTMFA_API_KEY. These requirements are proportionate to a service that pauses agent actions and forwards approval requests to api.agentmfa.ai. No unrelated credentials, binaries, or config paths are requested.

✓ Instruction Scope

SKILL.md instructs the agent to use the local MCP tools (request_approval, wait_for_approval, check_approval_status) and explicitly says the MCP server performs outbound HTTPS calls. The instructions do not tell the agent to read unrelated system files or to transmit extra data. It warns not to log one-time approval codes (good).

ℹ Install Mechanism

Installation is via an npm package (@agentmfa/mcp) that creates a local binary (agentmfa-mcp). Using a published npm package is expected for this purpose, but npm packages run arbitrary code on install — follow the skill's own advice to pin versions and review the repository and checksums before installing.

✓ Credentials

Only AGENTMFA_API_KEY is required and declared as the primary credential. That is reasonable for a third-party approval service. Users should confirm the API key's scope and what data the service receives in approval requests (action/context may include sensitive details).

✓ Persistence & Privilege

The skill does not request always:true or system-wide configuration changes. It installs a local helper binary (normal for this use). Model invocation is enabled (default) which is standard; this alone is not a coherence problem.

Version History

v1.0.11

- Added security best practices for production use, recommending MCP server version pinning instead of using latest. - Included instructions to verify the MCP server binary hash against published checksums before installing. - No code changes; documentation updates only.

v1.0.10

- Minor update to rules language: clarified that the approval code is a sensitive one-time token and should not be written to logs or external systems. - No functional or interface changes.

v1.0.9

- Updated skill metadata format to streamline environment and installation requirements. - Now explicitly defines AGENTMFA_API_KEY as the primary environment variable in metadata. - Modernized the structure under the "openclaw" key for clarity and compatibility. - No functional or file changes to skill behavior.

v1.0.8

- Added skill homepage URL to metadata for easier reference. - No other changes to functionality or documentation.

v1.0.7

- Added structured metadata under the "openclaw" key, specifying required binaries, install instructions for npm, and required environment variables. - No changes to the core functionality or usage documentation of the skill.

v1.0.6

- Added documentation for the required environment variable AGENTMFA_API_KEY, including details and description. - Updated metadata to include the required environment variable section. - Enhanced documentation to clarify open source status of MCP server source code. - Minor wording improvements and clarification in usage and rules sections.

v1.0.5

- Clarified that AgentMFA pauses the agent and does not execute actions directly. - Added an "About AgentMFA" section detailing the MCP server, API key setup, privacy policy, and source code links. - Provided clear MCP server requirements and setup instructions. - Updated guidance on handling the TOTP code, emphasizing its sensitivity and not logging it unnecessarily. - Improved instructions for usage, environment variable requirements, and tool flows.

v1.0.4

- Improved documentation with detailed usage instructions, standard flows, and best practices - Clarified use cases for requesting biometric approval on sensitive actions - Added comprehensive guidelines for handling approval, rejection, and expiry scenarios - Provided MCP tool descriptions for better integration and understanding

Metadata

Slug agentmfa

Version 1.0.11

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 8

Frequently Asked Questions

What is AgentMFA?

Request human approval via biometric auth before performing sensitive actions. Use this skill whenever an action is irreversible, destructive, or requires hu... It is an AI Agent Skill for Claude Code / OpenClaw, with 126 downloads so far.

How do I install AgentMFA?

Run "/install agentmfa" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is AgentMFA free?

Yes, AgentMFA is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does AgentMFA support?

AgentMFA is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created AgentMFA?

It is built and maintained by leiarenee (@leiarenee); the current version is v1.0.11.

More Skills

AgentMFA