← Back to Skills Marketplace

Approval Engine

Name: Approval Engine
Author: cjboy007

by Jaden's built a claw · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

110

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install ssa-approval-engine

Description

审批流程引擎 + 异常处理系统 — 规则驱动的多级审批、异常检测、自动恢复策略和 Discord 通知集成

Usage Guidance

This skill mostly does what it says (approval workflows, exception detection, Discord notifications), but before installing: - Expect to provide a Discord bot token (DISCORD_BOT_TOKEN) and channel IDs (DISCORD_APPROVALS_CHANNEL, DISCORD_ALERTS_CHANNEL, DISCORD_EXCEPTIONS_CHANNEL, DISCORD_RECOVERY_CHANNEL). The registry metadata currently does not list these — treat that as a documentation gap. - Keep the Discord bot token secret and grant the bot minimal permissions required to post messages and handle interactions. - The skill writes persistent files under the skill root (data/approvals.json, logs/approval.log, logs/exceptions.json). Run it in a directory where you control file access and rotation. - Because the skill sends requests to discord.com, confirm your environment allows outbound HTTPS and that you trust posting these messages to those channels. - Review the omitted/truncated source files (not provided here) for any additional network endpoints or unexpected behavior before running in production. - Test in a staging or sandbox environment first (the skill includes test/smoke-test.sh). The main actionable concern is the metadata/manifest inconsistency around required environment variables — that should be fixed or clarified before trusting deployment.

Capability Analysis

Type: OpenClaw Skill Name: ssa-approval-engine Version: 1.0.0 The skill bundle implements a comprehensive business approval and exception handling system with Discord integration. A critical security vulnerability exists in `src/rule-evaluator.js`, where the `evaluateApproverTriggerCondition` function uses `eval()` to process dynamic rule expressions; this could lead to Remote Code Execution (RCE) if an attacker can influence the input context (e.g., quotation data or customer names). While the code appears functionally aligned with its description and lacks clear evidence of intentional malice or data exfiltration, the use of unsafe evaluation logic and the handling of sensitive Discord bot tokens via environment variables pose a significant security risk.

Capability Assessment

ℹ Purpose & Capability

The code and SKILL.md implement a rule-driven approval engine with exception detection, recovery strategies and Discord integration — which matches the name/description. However the registry metadata claims no required environment variables while the SKILL.md and code clearly expect Discord credentials and optional data-dir/env paths; that mismatch is unexpected and should be corrected.

✓ Instruction Scope

Runtime instructions are focused on creating approvals, running detectors, recovery, and sending Discord notifications. The SKILL.md tells the agent to load modules from the skill root, read config/approval-rules.json and run cron/test scripts. These actions are coherent with the stated purpose and the code's behavior; I saw no instructions to read unrelated system files or exfiltrate data to unknown endpoints beyond Discord.

✓ Install Mechanism

No install spec is provided (instruction-only), and the included source files are standard JS modules using built-in Node APIs (fs, https). There are no external download URLs or unusual installers. Risk from installation mechanism is low.

⚠ Credentials

SKILL.md and the code expect Discord-related environment variables (DISCORD_BOT_TOKEN and several DISCORD_*_CHANNEL IDs) and optionally APP/ DATA root overrides, but the skill registry declares no required env vars — an inconsistency. The requested envs (Discord token and channel IDs) are reasonable for a Discord-integrated notifier, but they are sensitive credentials and should be explicitly declared in metadata so users know what to provide and protect.

✓ Persistence & Privilege

The skill writes to local data/ and logs/ directories (approvals.json, approval.log, exceptions.json) and persists approvals to JSON — behavior consistent with an approval engine. It does not request always: true and does not modify other skills' configuration. This level of persistence is expected but you should be aware of the local files it creates.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install ssa-approval-engine
After installation, invoke the skill by name or use /ssa-approval-engine
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release: Automated approval workflow with Discord notifications

Metadata

Slug ssa-approval-engine

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Approval Engine?

审批流程引擎 + 异常处理系统 — 规则驱动的多级审批、异常检测、自动恢复策略和 Discord 通知集成. It is an AI Agent Skill for Claude Code / OpenClaw, with 110 downloads so far.

How do I install Approval Engine?

Run "/install ssa-approval-engine" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Approval Engine free?

Yes, Approval Engine is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Approval Engine support?

Approval Engine is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Approval Engine?

It is built and maintained by Jaden's built a claw (@cjboy007); the current version is v1.0.0.

More Skills