openclaw-plugin-exec-grant 1.0.1 → 1.1.0

package/index.ts

@@ -1,14 +1,20 @@
 import { execFileSync } from "node:child_process";
 import { join } from "node:path";
 
+const PLUGIN_ID = "openclaw-plugin-exec-grant";
 const SCRIPTS_DIR = join(__dirname, "skills", "exec-grant", "scripts");
 
-function runScript(name: string, args: string[] = []): string {
+function runScript(
+  name: string,
+  args: string[] = [],
+  env?: Record<string, string>,
+): string {
   const scriptPath = join(SCRIPTS_DIR, name);
   try {
     return execFileSync("bash", [scriptPath, ...args], {
       encoding: "utf-8",
       timeout: 30_000,
+      env: { ...process.env, ...env },
     }).trim();
   } catch (err: any) {
     const stderr = err.stderr?.toString().trim() || "";
@@ -18,6 +24,19 @@ function runScript(name: string, args: string[] = []): string {
 }
 
 export default function register(api: any) {
+  const config = api.getConfig?.() ?? {};
+  const adminTarget = config.adminTarget;
+  const channel = config.channel;
+
+  if (!adminTarget || !channel) {
+    api.logger?.warn(
+      `[exec-grant] Missing config. Set adminTarget and channel:\n` +
+        `  openclaw config set plugins.entries.${PLUGIN_ID}.config.adminTarget "<target>"\n` +
+        `  openclaw config set plugins.entries.${PLUGIN_ID}.config.channel "<channel>"\n` +
+        `  Example channels: whatsapp, telegram, slack, discord, signal`,
+    );
+  }
+
   api.registerCommand({
     name: "grant",
     description: "Activate time-boxed elevated shell access (admin only)",
@@ -28,7 +47,13 @@ export default function register(api: any) {
       if (!minutes || !/^\d+$/.test(minutes)) {
         return { text: "Usage: /grant <minutes>  (1-120)" };
       }
-      const result = runScript("grant.sh", [minutes]);
+      // Reply on the channel the admin used to send the command
+      const replyChannel = ctx.channel || channel;
+      const replyTarget = ctx.sender || adminTarget;
+      const result = runScript("grant.sh", [minutes], {
+        EXEC_GRANT_CHANNEL: replyChannel || "",
+        EXEC_GRANT_TARGET: replyTarget || "",
+      });
       return { text: result };
     },
   });
@@ -38,8 +63,13 @@ export default function register(api: any) {
     description: "Revoke elevated shell access immediately (admin only)",
     acceptsArgs: false,
     requireAuth: true,
-    handler() {
-      const result = runScript("revoke.sh");
+    handler(ctx: any) {
+      const replyChannel = ctx.channel || channel;
+      const replyTarget = ctx.sender || adminTarget;
+      const result = runScript("revoke.sh", [], {
+        EXEC_GRANT_CHANNEL: replyChannel || "",
+        EXEC_GRANT_TARGET: replyTarget || "",
+      });
       return { text: result };
     },
   });

package/openclaw.plugin.json

@@ -1,23 +1,30 @@
 {
   "id": "openclaw-plugin-exec-grant",
   "name": "Exec Grant",
-  "description": "Time-boxed elevated shell access with WhatsApp admin approval",
+  "description": "Time-boxed elevated shell access with admin approval via any messaging channel",
   "version": "1.0.0",
   "configSchema": {
     "type": "object",
     "properties": {
-      "adminPhone": {
+      "adminTarget": {
         "type": "string",
-        "description": "E.164 phone number of the admin who approves grants"
+        "description": "Admin contact: E.164 phone for WhatsApp/Signal, chat ID for Telegram, channel/user for Slack/Discord"
+      },
+      "channel": {
+        "type": "string",
+        "description": "Messaging channel to use for approval requests (e.g. whatsapp, telegram, slack, discord, signal)"
       }
     },
-    "required": ["adminPhone"],
     "additionalProperties": false
   },
   "uiHints": {
-    "adminPhone": {
-      "label": "Admin Phone (E.164)",
-      "placeholder": "+16505551234"
+    "adminTarget": {
+      "label": "Admin Target",
+      "placeholder": "+16505551234 or @admin or #approvals"
+    },
+    "channel": {
+      "label": "Channel",
+      "placeholder": "whatsapp"
     }
   },
   "skills": ["skills/exec-grant"]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openclaw-plugin-exec-grant",
-  "version": "1.0.1",
+  "version": "1.1.0",
   "description": "Time-boxed elevated shell access with WhatsApp admin approval for OpenClaw",
   "main": "index.ts",
   "license": "MIT",

package/skills/exec-grant/SKILL.md

@@ -66,7 +66,7 @@ Grants auto-revoke via an OS-level timer. When revoked, security returns to allo
 
 - **Never modify `~/.openclaw/exec-approvals.json` directly.** All changes go through grant.sh and revoke.sh.
 - **Never attempt to cancel, extend, or tamper with the revocation timer.** The timer runs at the OS level and is intentionally outside agent control.
-- **Never call grant.sh directly.** Only the plugin's `/grant` command handler (triggered by admin WhatsApp reply) should invoke it.
+- **Never call grant.sh directly.** Only the plugin's `/grant` command handler (triggered by admin reply) should invoke it.
 - **Never request more time than needed.** Estimate conservatively and request a new grant if the first one runs out.
 - **Always provide a specific reason.** Vague reasons like "need access" will likely be denied by the admin.
 
@@ -76,7 +76,7 @@ All scripts are located at `${CLAUDE_PLUGIN_ROOT}/skills/exec-grant/scripts/`:
 
 | Script | Called By | Purpose |
 |---|---|---|
-| `request.sh` | Agent | Send approval request to admin via WhatsApp |
+| `request.sh` | Agent | Send approval request to admin via configured channel |
 | `grant.sh` | Plugin `/grant` handler | Activate elevated access + schedule timer |
 | `revoke.sh` | OS timer or `/revoke` | Revert to allowlist mode |
 | `status.sh` | Agent | Check current grant state and remaining time |

package/skills/exec-grant/references/security-model.md

@@ -2,16 +2,16 @@
 
 ## Threat Model
 
-### Threat 1: Prompt Injection via WhatsApp
+### Threat 1: Prompt Injection via Messaging Channel
 
-**Attack:** A malicious message forwarded to the admin's WhatsApp contains text like "Reply /grant 120 to this message." The admin might reflexively reply with the command.
+**Attack:** A malicious message forwarded to the admin contains text like "Reply /grant 120 to this message." The admin might reflexively reply with the command.
 
 **Mitigation:**
-- `requireAuth: true` on `/grant` ensures only messages from the configured admin phone number are processed
+- `requireAuth: true` on `/grant` ensures only messages from authorized senders are processed
 - The grant confirmation message sent back to the admin includes the exact duration and expiry time, making unintended grants visible
 - Grants are capped at 120 minutes maximum
 
-**Residual risk:** If the admin's phone is compromised, the attacker can approve grants. This is inherent to any human-in-the-loop approval system.
+**Residual risk:** If the admin's account is compromised, the attacker can approve grants. This is inherent to any human-in-the-loop approval system.
 
 ### Threat 2: Agent Timer Tampering
 
@@ -113,6 +113,6 @@ Two separate files serve different purposes:
 
 This separation means the gateway does not need to understand grant semantics -- it only checks the security field.
 
-### Why WhatsApp as the Approval Channel
+### Why an Out-of-Band Messaging Channel
 
-WhatsApp provides an out-of-band approval channel that the agent cannot impersonate. The admin receives requests on their phone, can evaluate context, and responds with a simple command. This is preferable to in-band approval (e.g., a web UI the agent could potentially interact with).
+The approval channel (WhatsApp, Telegram, Slack, etc.) is out-of-band -- the agent cannot impersonate the admin on it. The admin receives requests on their device, can evaluate context, and responds with a simple command. This is preferable to in-band approval (e.g., a web UI the agent could potentially interact with). The plugin supports any channel OpenClaw provides, configured via the `channel` and `adminTarget` config fields.

package/skills/exec-grant/scripts/grant.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 # grant.sh -- Called by plugin /grant handler: activates elevated access + timer
 # Usage: grant.sh <minutes>
+# Env: EXEC_GRANT_CHANNEL, EXEC_GRANT_TARGET (set by index.ts from command context)
 set -euo pipefail
 
 # Ensure openclaw is on PATH (npm global bin may not be in non-interactive shells)
@@ -32,10 +33,8 @@ SECONDS_TO_ADD=$(( MINUTES * 60 ))
 EXPIRY=$(( NOW + SECONDS_TO_ADD ))
 
 if date -v+1S +%s >/dev/null 2>&1; then
-  # macOS (BSD date)
   EXPIRY_HUMAN=$(date -r "$EXPIRY" '+%Y-%m-%d %H:%M:%S %Z')
 else
-  # Linux (GNU date)
   EXPIRY_HUMAN=$(date -d "@${EXPIRY}" '+%Y-%m-%d %H:%M:%S %Z')
 fi
 
@@ -54,7 +53,6 @@ if [[ ! -f "$APPROVALS_FILE" ]]; then
 ENDJSON
 fi
 
-# Targeted jq edit: only change .agents.main.security
 TEMP_FILE=$(mktemp)
 jq '.agents.main.security = "full"' "$APPROVALS_FILE" > "$TEMP_FILE" && mv "$TEMP_FILE" "$APPROVALS_FILE"
 
@@ -63,7 +61,6 @@ REVOKE_SCRIPT="${SCRIPT_DIR}/revoke.sh"
 TIMER_ID=""
 
 if command -v systemctl >/dev/null 2>&1 && systemctl --user status >/dev/null 2>&1; then
-  # Linux: systemd-run (tamper-resistant -- agent cannot cancel)
   systemd-run --user \
     --on-active="${MINUTES}m" \
     --unit=exec-grant-revoke \
@@ -72,52 +69,13 @@ if command -v systemctl >/dev/null 2>&1 && systemctl --user status >/dev/null 2>
 fi
 
 if [[ -z "$TIMER_ID" ]] && [[ "$(uname)" == "Darwin" ]]; then
-  # macOS: launchd plist
-  PLIST_LABEL="com.openclaw.exec-grant-revoke"
-  PLIST_PATH="$HOME/Library/LaunchAgents/${PLIST_LABEL}.plist"
-  mkdir -p "$HOME/Library/LaunchAgents"
-
-  cat > "$PLIST_PATH" <<PLIST
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-    <key>Label</key>
-    <string>${PLIST_LABEL}</string>
-    <key>ProgramArguments</key>
-    <array>
-        <string>/bin/bash</string>
-        <string>${REVOKE_SCRIPT}</string>
-    </array>
-    <key>StartInterval</key>
-    <integer>0</integer>
-    <key>LaunchOnlyOnce</key>
-    <true/>
-    <key>RunAtLoad</key>
-    <false/>
-    <key>StandardOutPath</key>
-    <string>${HOME}/.openclaw/exec-grant-revoke.log</string>
-    <key>StandardErrorPath</key>
-    <string>${HOME}/.openclaw/exec-grant-revoke.log</string>
-</dict>
-</plist>
-PLIST
-
-  # Use a delayed start: unload any existing, then schedule via at-style workaround
-  launchctl unload "$PLIST_PATH" 2>/dev/null || true
-
-  # launchd doesn't have on-active like systemd; use sleep-based subprocess
   (sleep "$SECONDS_TO_ADD" && bash "$REVOKE_SCRIPT") &
   BG_PID=$!
   disown "$BG_PID" 2>/dev/null || true
   TIMER_ID="bg:${BG_PID}"
-
-  # Clean up the plist since we're using bg approach
-  rm -f "$PLIST_PATH"
 fi
 
 if [[ -z "$TIMER_ID" ]]; then
-  # Fallback: background sleep + revoke
   (sleep "$SECONDS_TO_ADD" && bash "$REVOKE_SCRIPT") &
   BG_PID=$!
   disown "$BG_PID" 2>/dev/null || true
@@ -139,12 +97,13 @@ ENDJSON
 # --- Audit log ---
 echo "[$(date -u '+%Y-%m-%dT%H:%M:%SZ')] GRANT: ${MINUTES}m, expires ${EXPIRY_HUMAN}, timer=${TIMER_ID}" >> "$AUDIT_LOG"
 
-# --- Notify admin ---
-ADMIN_PHONE=$(openclaw config get plugins.entries.openclaw-plugin-exec-grant.config.adminPhone 2>/dev/null | tail -1 | tr -d '[:space:]' || true)
+# --- Notify admin (uses channel context from the /grant command) ---
+NOTIFY_CHANNEL="${EXEC_GRANT_CHANNEL:-}"
+NOTIFY_TARGET="${EXEC_GRANT_TARGET:-}"
 
-if [[ -n "$ADMIN_PHONE" ]]; then
+if [[ -n "$NOTIFY_TARGET" ]] && [[ -n "$NOTIFY_CHANNEL" ]]; then
   MSG="Grant active for *${MINUTES}m*. Expires at ${EXPIRY_HUMAN}. Reply \`/revoke\` to end early."
-  openclaw message send --target "$ADMIN_PHONE" --channel whatsapp --message "$MSG" 2>/dev/null || true
+  openclaw message send --target "$NOTIFY_TARGET" --channel "$NOTIFY_CHANNEL" --message "$MSG" 2>/dev/null || true
 fi
 
 echo "Grant activated: ${MINUTES}m of full shell access. Expires at ${EXPIRY_HUMAN}."

package/skills/exec-grant/scripts/request.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# request.sh -- Agent-facing: sends WhatsApp approval request to admin
+# request.sh -- Agent-facing: sends approval request to admin
 # Usage: request.sh <minutes> "<reason>"
 set -euo pipefail
 
@@ -10,6 +10,7 @@ done
 
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 STATE_FILE="$HOME/.openclaw/exec-grant-state.json"
+PLUGIN_ID="openclaw-plugin-exec-grant"
 
 # --- Arg validation ---
 if [[ $# -lt 2 ]]; then
@@ -43,7 +44,6 @@ if [[ -f "$STATE_FILE" ]]; then
       echo "Error: grant already active with ${REMAINING}m remaining. Use status.sh to check." >&2
       exit 1
     fi
-    # Expired but not cleaned up -- status.sh will self-heal
   fi
 
   if [[ "$STATUS" == "pending" ]]; then
@@ -51,22 +51,27 @@ if [[ -f "$STATE_FILE" ]]; then
     NOW=$(date +%s)
     ELAPSED=$(( NOW - REQUESTED_AT ))
     if [[ "$ELAPSED" -lt 300 ]]; then
-      echo "Error: approval request already pending (sent $(( ELAPSED ))s ago). Wait for admin response." >&2
+      echo "Error: approval request already pending (sent ${ELAPSED}s ago). Wait for admin response." >&2
       exit 1
     fi
-    # Stale pending request (>5m) -- allow re-request
   fi
 fi
 
-# --- Get admin phone ---
-ADMIN_PHONE=$(openclaw config get plugins.entries.openclaw-plugin-exec-grant.config.adminPhone 2>/dev/null | tail -1 | tr -d '[:space:]' || true)
+# --- Read plugin config ---
+ADMIN_TARGET=$(openclaw config get "plugins.entries.${PLUGIN_ID}.config.adminTarget" 2>/dev/null | tail -1 | tr -d '[:space:]' || true)
+CHANNEL=$(openclaw config get "plugins.entries.${PLUGIN_ID}.config.channel" 2>/dev/null | tail -1 | tr -d '[:space:]' || true)
 
-if [[ -z "$ADMIN_PHONE" ]]; then
-  echo "Error: no admin phone configured. Set plugins.entries.openclaw-plugin-exec-grant.config.adminPhone" >&2
+if [[ -z "$ADMIN_TARGET" ]]; then
+  echo "Error: no admin target configured. Set plugins.entries.${PLUGIN_ID}.config.adminTarget" >&2
   exit 1
 fi
 
-# --- Send WhatsApp approval request ---
+if [[ -z "$CHANNEL" ]]; then
+  echo "Error: no channel configured. Set plugins.entries.${PLUGIN_ID}.config.channel" >&2
+  exit 1
+fi
+
+# --- Send approval request ---
 MSG="*Elevated Access Request*
 
 Agent requests *${MINUTES}m* of full shell access.
@@ -75,7 +80,7 @@ Agent requests *${MINUTES}m* of full shell access.
 
 Reply \`/grant ${MINUTES}\` to approve or ignore to deny."
 
-openclaw message send --target "$ADMIN_PHONE" --channel whatsapp --message "$MSG"
+openclaw message send --target "$ADMIN_TARGET" --channel "$CHANNEL" --message "$MSG"
 
 # --- Write pending state ---
 mkdir -p "$(dirname "$STATE_FILE")"
@@ -87,8 +92,9 @@ cat > "$STATE_FILE" <<ENDJSON
   "requested_minutes": ${MINUTES},
   "reason": $(jq -n --arg v "$REASON" '$v'),
   "requested_at": ${NOW},
-  "admin_phone": $(jq -n --arg v "$ADMIN_PHONE" '$v')
+  "admin_target": $(jq -n --arg v "$ADMIN_TARGET" '$v'),
+  "channel": $(jq -n --arg v "$CHANNEL" '$v')
 }
 ENDJSON
 
-echo "Approval request sent to admin. Waiting for /grant ${MINUTES} reply."
+echo "Approval request sent to admin via ${CHANNEL}. Waiting for /grant ${MINUTES} reply."

package/skills/exec-grant/scripts/revoke.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 # revoke.sh -- Called by timer or /revoke: reverts to allowlist mode
 # Usage: revoke.sh
+# Env: EXEC_GRANT_CHANNEL, EXEC_GRANT_TARGET (set by index.ts when called via /revoke)
 set -euo pipefail
 
 # Ensure openclaw is on PATH (npm global bin may not be in non-interactive shells)
@@ -8,6 +9,7 @@ for p in "$HOME/.npm-global/bin" "$HOME/.local/bin" "$HOME/node_modules/.bin"; d
   [[ -d "$p" ]] && export PATH="$p:$PATH"
 done
 
+PLUGIN_ID="openclaw-plugin-exec-grant"
 STATE_FILE="$HOME/.openclaw/exec-grant-state.json"
 APPROVALS_FILE="$HOME/.openclaw/exec-approvals.json"
 AUDIT_LOG="$HOME/.openclaw/exec-grant-audit.log"
@@ -29,8 +31,6 @@ if [[ -f "$STATE_FILE" ]]; then
     systemctl --user stop "${UNIT}.timer" 2>/dev/null || true
     systemctl --user stop "${UNIT}.service" 2>/dev/null || true
   fi
-  # bg: timers cannot be reliably cancelled cross-process, but the revoke
-  # itself is idempotent so a second invocation is harmless
 fi
 
 # --- Update state file ---
@@ -46,10 +46,18 @@ ENDJSON
 echo "[$(date -u '+%Y-%m-%dT%H:%M:%SZ')] REVOKE: security restored to allowlist" >> "$AUDIT_LOG"
 
 # --- Notify admin ---
-ADMIN_PHONE=$(openclaw config get plugins.entries.openclaw-plugin-exec-grant.config.adminPhone 2>/dev/null | tail -1 | tr -d '[:space:]' || true)
+# When called from /revoke command, env vars are set by index.ts
+# When called from timer, fall back to plugin config
+NOTIFY_CHANNEL="${EXEC_GRANT_CHANNEL:-}"
+NOTIFY_TARGET="${EXEC_GRANT_TARGET:-}"
+
+if [[ -z "$NOTIFY_TARGET" ]] || [[ -z "$NOTIFY_CHANNEL" ]]; then
+  NOTIFY_TARGET=$(openclaw config get "plugins.entries.${PLUGIN_ID}.config.adminTarget" 2>/dev/null | tail -1 | tr -d '[:space:]' || true)
+  NOTIFY_CHANNEL=$(openclaw config get "plugins.entries.${PLUGIN_ID}.config.channel" 2>/dev/null | tail -1 | tr -d '[:space:]' || true)
+fi
 
-if [[ -n "$ADMIN_PHONE" ]]; then
-  openclaw message send --target "$ADMIN_PHONE" --channel whatsapp --message "Grant revoked. Security restored to allowlist mode." 2>/dev/null || true
+if [[ -n "$NOTIFY_TARGET" ]] && [[ -n "$NOTIFY_CHANNEL" ]]; then
+  openclaw message send --target "$NOTIFY_TARGET" --channel "$NOTIFY_CHANNEL" --message "Grant revoked. Security restored to allowlist mode." 2>/dev/null || true
 fi
 
 echo "Grant revoked. Security restored to allowlist mode."