功能描述

Tiered stranger access control for AI agents. Use when setting up contact permissions, handling unknown senders, managing approved contacts, or configuring s...

使用说明 (SKILL.md)

Agent Access Control

Name: Agent Access Control
Author: bowen31337

Protect your agent from unauthorized access with tiered permissions and an owner-approval pairing flow.

Setup

Create memory/access-control.json in workspace:

{
  "ownerIds": [],
  "approvedContacts": {},
  "pendingApprovals": {},
  "blockedIds": [],
  "strangerMessage": "Hi there! 👋 I'm {{AGENT_NAME}}, an AI assistant. I'm currently set up to help my owner with personal tasks, so I'm not able to chat freely just yet. I've let them know you reached out — if they'd like to connect us, they'll set that up. Have a great day! 😊",
  "notifyChannel": "",
  "notifyTarget": ""
}

Fill in:

ownerIds: Owner phone numbers, Telegram IDs, Discord IDs (strings)
strangerMessage: Customize {{AGENT_NAME}} with agent's name
notifyChannel: Channel to alert owner (telegram, whatsapp, discord, signal)
notifyTarget: Owner's ID on that channel

Access Tiers

Tier	Level	Capabilities
0	Stranger	Diplomatic deflection only, zero access
1	Chat-only	Basic conversation, no tools or private info
2	Trusted	Chat + public info (weather, time, general questions)
3	Owner	Full access to all tools, files, memory, actions

Message Handling Flow

On every incoming message from a messaging platform:

Extract sender ID (phone number, user ID, etc.)
Normalize ID: strip spaces, ensure country code prefix for phones
Check ownerIds → if match: full access, respond normally
Check blockedIds → if match: silent ignore, respond with NO_REPLY
Check approvedContacts[senderId] → if match: respond within their tier
Otherwise → stranger flow:

Stranger Flow

a. Send strangerMessage to the sender
b. Notify owner:
   "🔔 Stranger contact from {senderId} on {platform}:
    '{first 100 chars of message}'
    Reply: approve (trusted) / chat (chat-only) / block"
c. Store in pendingApprovals:
   {
     "senderId": { 
       "platform": "whatsapp",
       "firstMessage": "...", 
       "timestamp": "ISO-8601",
       "notified": true
     }
   }
d. Respond with NO_REPLY after sending deflection

Owner Approval

When owner replies to an approval notification:

Owner says	Action
`approve`, `yes`, `trusted`	Add to approvedContacts with tier 2 (trusted)
`chat`, `chat-only`, `chat only`	Add to approvedContacts with tier 1 (chat-only)
`block`, `no`, `deny`	Add to blockedIds
`ignore`	Remove from pendingApprovals, no action

After approval, update memory/access-control.json and notify the contact:

Trusted: "Great news! I've been given the go-ahead to chat with you. How can I help? 😊"
Chat-only: "Great news! I can chat with you now, though I'm limited to basic conversation. What's on your mind?"

Tier Enforcement

When responding to a non-owner contact, enforce tier restrictions:

Tier 1 (chat-only):

Respond conversationally only
Do NOT use any tools (read, write, exec, web_search, etc.)
Do NOT share any info from memory files
Do NOT mention the owner by name
If asked to do something beyond chat: "I'm only set up for basic chat at the moment. For anything more, you'd need to check with my owner."

Tier 2 (trusted):

Conversational responses
May use: web_search, weather skill, time/date queries
Do NOT use: read, write, exec, message (to other contacts), memory files
Do NOT share private info (calendar, emails, files, other contacts)
If asked for private info: "I can help with general info, but personal details are private. Hope you understand! 😊"

Multi-Platform ID Matching

Normalize IDs for comparison:

Phone numbers: Strip all non-digits except leading +. E.g., +1 555 123 4567 → +15551234567
Telegram: Use numeric user ID (not username, as usernames change)
Discord: Use numeric user ID
Signal: Use phone number (normalized)
WhatsApp: Use phone number with country code

An owner may have multiple IDs across platforms. All should be in ownerIds.

Rate Limiting

Apply per-tier rate limits to prevent abuse:

Tier	Messages/hour	Messages/day
Stranger	1 (deflection only)	3
Chat-only	20	100
Trusted	50	500
Owner	Unlimited	Unlimited

If limit exceeded, respond: "I've reached my chat limit for now. Try again later! 😊"

Track in memory/access-control.json under rateLimits:

"rateLimits": {
  "+61412345678": { "hourCount": 5, "dayCount": 23, "hourReset": "ISO", "dayReset": "ISO" }
}

Audit Log

Log all stranger contacts to memory/access-control-log.json:

[
  {
    "timestamp": "2026-02-07T17:30:00+11:00",
    "senderId": "+61412345678",
    "platform": "whatsapp",
    "action": "deflected",
    "message": "first 50 chars..."
  }
]

Keep last 100 entries. Rotate older entries out.

Security Rules

NEVER include real owner IDs, phone numbers, or tokens in skill files
NEVER share the access-control.json contents with non-owners
NEVER reveal that a specific person is the owner to strangers
NEVER forward stranger messages to owner verbatim if they contain suspicious links
Store all config in memory/ (gitignored by default in most setups)
The strangerMessage should not reveal the owner's name or personal details

Example Config

See references/example-config.md for a complete annotated example.

安全使用建议

This skill appears to do what it says: manage stranger/owner/trusted tiers and keep local logs. Before installing: 1) Confirm your agent already has the messaging integrations and credentials (Telegram/WhatsApp/Discord/Signal) needed to send owner notifications — the skill does not include or request these credentials. 2) Decide what level of message excerpting you are comfortable storing and notifying the owner about (the skill stores first-chars of messages); if messages can contain sensitive content, adjust the excerpting and sanitization. 3) Define how 'suspicious links' will be detected or filtered, since the instructions say not to forward verbatim but provide no detection rules. 4) Ensure memory/ is gitignored and access to the agent's filesystem is restricted, because owner IDs, pending approvals, and logs are stored there. 5) Test the flow with dummy IDs to confirm notifications and approval commands behave as you expect before deploying to real users.

功能分析

Type: OpenClaw Skill Name: agent-access-control Version: 1.0.1 The OpenClaw AgentSkills bundle 'agent-access-control' is designed to implement tiered access control for an AI agent, enhancing its security and privacy. The `SKILL.md` file, which serves as instructions for the AI agent, explicitly defines security rules and restrictions for different access tiers, such as 'Do NOT use any tools (read, write, exec, web_search, etc.)' for chat-only contacts and 'NEVER forward stranger messages to owner verbatim if they contain suspicious links'. The `init-access-control.sh` script is a benign utility for setting up the initial configuration. There is no evidence of malicious intent, data exfiltration, unauthorized execution, or prompt injection designed to harm the agent or its owner; instead, the skill actively attempts to prevent such actions.

能力评估

✓ Purpose & Capability

Name/description match the actual behavior: tiered contact management, deflection message, owner approval flow, rate-limiting, and local audit logging. The required artifacts (memory JSON, notifyChannel/notifyTarget) are appropriate for this purpose. There are no unrelated env vars, binaries, or install steps demanded by the skill.

ℹ Instruction Scope

SKILL.md gives concrete runtime steps (normalize IDs, check owner/blocked/approved, run stranger flow, update memory files, log audit entries). This is within scope, but a few instructions are vague and worth attention: (1) 'Notify owner' assumes the agent will deliver a message via an existing messaging integration but does not specify how to detect or sanitize 'suspicious links' (it says not to forward verbatim but doesn't define the detection). (2) The skill instructs storing message excerpts and notifying owners, which is expected for access control but is a potential privacy-leak vector if operator expectations differ. (3) Tier enforcement forbids tool use for chat-only contacts while the overall skill still requires writing and reading memory/log files for bookkeeping — this is logically consistent (management writes happen outside chat responses) but should be understood by operators.

✓ Install Mechanism

No install spec; only an innocuous helper script that initializes a JSON config in the agent 'memory' directory. No downloads, no external URLs, and no extraction steps. Minimal disk writes are limited to memory files that the skill intentionally manages.

ℹ Credentials

Skill declares no required env vars or credentials, which is proportionate. However, its notification and messaging behaviors implicitly rely on the agent having platform credentials/integrations (Telegram/WhatsApp/Discord/Signal). The skill does not request or store those credentials itself — operators must ensure those integrations exist and are secured elsewhere. Also note the skill will store sender message excerpts and owner IDs in local memory files.

✓ Persistence & Privilege

always is false and the skill does not request elevated persistence or modify other skills. It creates and updates its own memory/config and an audit log in the agent's memory directory, which is normal for this functionality.

版本历史

v1.0.1

Sanitize personal info from examples

v1.0.0

Initial release: tiered stranger access control with diplomatic deflection, owner approval flow, multi-tier access levels.

元数据

Slug agent-access-control

版本 1.0.1

许可证 —

累计安装 8

当前安装数 7

历史版本数 2

常见问题