← 返回 Skills 市场
94
总下载
0
收藏
0
当前安装
7
版本数
在 OpenClaw 中安装
/install permission-vending-machine
功能描述
Multi-channel approval system for AI agent permissions. GATES sensitive operations (file deletion, git force-push) behind human approval. Notifies via iMessa...
安全使用建议
This implementation broadly does what it claims, but several red flags mean you should not install it without review and configuration. Key things to check before installing:
- Verify and lock down the HTTP approval endpoint: by default the daemon binds 0.0.0.0 and the approval handler will approve the most-recent pending request when no token is provided — ensure the server is bound to localhost or to an internal-only interface or protected by authentication/firewall rules, and confirm the server enforces tokens/signatures for approvals.
- Expect to provide several sensitive credentials (IMAP/SMTP password, Sendblue API key, webhook URLs, Telegram bot token). The registry metadata lists none; confirm where you will store these and restrict file permissions. Prefer dedicated service accounts / app-specific passwords and rotate keys.
- Confirm presence and provenance of the sendblue CLI if you enable iMessage: the code calls `sendblue` via subprocess; the registry said no required binaries but the channel depends on it. Installing a CLI without verifying it is risky.
- Review server.py and CallbackHandler.verify_discord_interaction to ensure signature verification is actually enforced for each channel you enable (the code contains a verifier but you must confirm the server uses it and that secrets are configured).
- Audit how approvals are parsed (email/IMAP): email approvals look for plain APPROVE/DENY and an optional token. This works but means anyone who can send mail to the configured mailbox (or compromise it) can grant privileges. Hardening the mailbox and using tokens is strongly recommended.
- Test in an isolated environment first (local VM) and run with minimal channels enabled (e.g., only local Discord webhook or localhost HTTP with auth) before exposing to network or adding real approvers.
Given these mismatches (missing declared requirements vs. real config needs) and the potentially insecure default approval behavior, treat this skill as suspicious and perform the checks above (or request a signed/verified upstream release and provenance) before trusting it on production hosts.
能力评估
Purpose & Capability
The code implements a local multi-channel approval system that matches the SKILL.md purpose (vault, wrappers, IMAP/sendblue/Discord/HTTP approvals). However the registry metadata declares no required env vars or binaries while the project clearly requires API keys, IMAP credentials, webhook URLs and the `sendblue` CLI/binary when those channels are enabled — a mismatch that reduces transparency and is unexpected.
Instruction Scope
Runtime instructions and code ask the agent (or installer) to start a persistent approval daemon, run wrappers that will execute destructive commands when granted, and configure many external channels. More importantly, the HTTP approval handler will approve the most-recent pending request if a token is missing/invalid, and the daemon starts an HTTP server bound to 0.0.0.0 by default — creating an exposed approval surface that could be abused if not properly network-restricted or authenticated. Email/IMAP-based approvals and Sendblue polling will accept plain 'APPROVE' replies from the mailbox/phone, which is expected behavior but means those channels must be tightly controlled.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md and README instruct cloning the GitHub repo and running `pip install -e .` or the included setup wizard. That is typical for an open-source Python tool; no opaque external archive downloads are present. Still, installing a service that listens on a network port and runs continuously is higher-risk than an instruction-only skill — review the code before you pip-install.
Credentials
Although the registry lists no required environment variables or credentials, the project requires multiple sensitive secrets to function: IMAP username/password, SMTP settings, Sendblue API key and CLI binary, Discord/Slack webhook URLs, Telegram bot token, etc. Those are reasonable for multi-channel notifications but the registry should have declared them. Because the skill will store and use those secrets and poll inboxes / invoke a local binary, you should confirm where you place them and that the daemon has minimal access.
Persistence & Privilege
The skill is designed to run as a persistent daemon (launchd/systemd/Windows service) and listens for HTTP callbacks. Although 'always' is false, running as a system service + binding to 0.0.0.0 expands the blast radius. Combined with the code behavior that may approve the most-recent pending request if a token is absent, this is a notable privilege surface that requires careful network and access controls.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install permission-vending-machine - 安装完成后,直接呼叫该 Skill 的名称或使用
/permission-vending-machine触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.1
- Internal code update in src/pvm/setup_wizard.py.
- No user-facing changes or documentation updates.
v1.1.0
- Added setup wizard module to assist with initial configuration.
- Updated CLI and documentation to reflect new setup process.
- Upgraded dependencies in pyproject.toml.
- Improved onboarding experience for new users.
v1.0.4
- Improved email approval polling logic in the approval system.
- Updated sample configuration in config.example.yaml for clarity.
- Minor code cleanups and enhancements to Sendblue and email poller modules.
v1.0.3
- Updated README.md for improved documentation clarity and setup instructions.
- No code or feature changes; this version contains documentation improvements only.
v1.0.2
- Updated README.md with clarifications and expanded setup instructions.
- No functional or code changes; documentation only.
v1.0.1
- Updated documentation in PLATFORMS.md for platform-specific setup details.
- No changes to code or user-facing features.
v1.0.0
Initial release of Permission Vending Machine (PVM).
- Introduces a multi-channel approval system for AI agent permissions, gating sensitive actions like file deletion and git force-push.
- Notifies approvers via iMessage, Email, Discord, Telegram, and Slack, enforcing time-limited human grants before execution of destructive commands.
- Provides command-line tools for requesting, approving, revoking, and auditing permissions.
- Includes safe wrappers for commands (e.g., safe-rm, safe-git-push) to ensure guarded operations.
- Supports macOS, Linux, and Windows with platform-specific setup instructions.
元数据
常见问题
Permission Vending Machine 是什么?
Multi-channel approval system for AI agent permissions. GATES sensitive operations (file deletion, git force-push) behind human approval. Notifies via iMessa... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 94 次。
如何安装 Permission Vending Machine?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install permission-vending-machine」即可一键安装,无需额外配置。
Permission Vending Machine 是免费的吗?
是的,Permission Vending Machine 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Permission Vending Machine 支持哪些平台?
Permission Vending Machine 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Permission Vending Machine?
由 Tyler(@tylerdotai)开发并维护,当前版本 v1.1.1。
推荐 Skills