← 返回 Skills 市场
Approval Engine
作者
Jaden's built a claw
· GitHub ↗
· v1.0.0
· MIT-0
110
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install ssa-approval-engine
功能描述
审批流程引擎 + 异常处理系统 — 规则驱动的多级审批、异常检测、自动恢复策略和 Discord 通知集成
安全使用建议
This skill mostly does what it says (approval workflows, exception detection, Discord notifications), but before installing:
- Expect to provide a Discord bot token (DISCORD_BOT_TOKEN) and channel IDs (DISCORD_APPROVALS_CHANNEL, DISCORD_ALERTS_CHANNEL, DISCORD_EXCEPTIONS_CHANNEL, DISCORD_RECOVERY_CHANNEL). The registry metadata currently does not list these — treat that as a documentation gap.
- Keep the Discord bot token secret and grant the bot minimal permissions required to post messages and handle interactions.
- The skill writes persistent files under the skill root (data/approvals.json, logs/approval.log, logs/exceptions.json). Run it in a directory where you control file access and rotation.
- Because the skill sends requests to discord.com, confirm your environment allows outbound HTTPS and that you trust posting these messages to those channels.
- Review the omitted/truncated source files (not provided here) for any additional network endpoints or unexpected behavior before running in production.
- Test in a staging or sandbox environment first (the skill includes test/smoke-test.sh).
The main actionable concern is the metadata/manifest inconsistency around required environment variables — that should be fixed or clarified before trusting deployment.
功能分析
Type: OpenClaw Skill
Name: ssa-approval-engine
Version: 1.0.0
The skill bundle implements a comprehensive business approval and exception handling system with Discord integration. A critical security vulnerability exists in `src/rule-evaluator.js`, where the `evaluateApproverTriggerCondition` function uses `eval()` to process dynamic rule expressions; this could lead to Remote Code Execution (RCE) if an attacker can influence the input context (e.g., quotation data or customer names). While the code appears functionally aligned with its description and lacks clear evidence of intentional malice or data exfiltration, the use of unsafe evaluation logic and the handling of sensitive Discord bot tokens via environment variables pose a significant security risk.
能力评估
Purpose & Capability
The code and SKILL.md implement a rule-driven approval engine with exception detection, recovery strategies and Discord integration — which matches the name/description. However the registry metadata claims no required environment variables while the SKILL.md and code clearly expect Discord credentials and optional data-dir/env paths; that mismatch is unexpected and should be corrected.
Instruction Scope
Runtime instructions are focused on creating approvals, running detectors, recovery, and sending Discord notifications. The SKILL.md tells the agent to load modules from the skill root, read config/approval-rules.json and run cron/test scripts. These actions are coherent with the stated purpose and the code's behavior; I saw no instructions to read unrelated system files or exfiltrate data to unknown endpoints beyond Discord.
Install Mechanism
No install spec is provided (instruction-only), and the included source files are standard JS modules using built-in Node APIs (fs, https). There are no external download URLs or unusual installers. Risk from installation mechanism is low.
Credentials
SKILL.md and the code expect Discord-related environment variables (DISCORD_BOT_TOKEN and several DISCORD_*_CHANNEL IDs) and optionally APP/ DATA root overrides, but the skill registry declares no required env vars — an inconsistency. The requested envs (Discord token and channel IDs) are reasonable for a Discord-integrated notifier, but they are sensitive credentials and should be explicitly declared in metadata so users know what to provide and protect.
Persistence & Privilege
The skill writes to local data/ and logs/ directories (approvals.json, approval.log, exceptions.json) and persists approvals to JSON — behavior consistent with an approval engine. It does not request always: true and does not modify other skills' configuration. This level of persistence is expected but you should be aware of the local files it creates.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install ssa-approval-engine - 安装完成后,直接呼叫该 Skill 的名称或使用
/ssa-approval-engine触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: Automated approval workflow with Discord notifications
元数据
常见问题
Approval Engine 是什么?
审批流程引擎 + 异常处理系统 — 规则驱动的多级审批、异常检测、自动恢复策略和 Discord 通知集成. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 110 次。
如何安装 Approval Engine?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install ssa-approval-engine」即可一键安装,无需额外配置。
Approval Engine 是免费的吗?
是的,Approval Engine 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Approval Engine 支持哪些平台?
Approval Engine 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Approval Engine?
由 Jaden's built a claw(@cjboy007)开发并维护,当前版本 v1.0.0。
推荐 Skills