AgentMFA is an opt-in approval system. The agent must explicitly call these tools before sensitive actions. AgentMFA does not automatically intercept or block anything — the agent decides when to request approval.
When the agent calls request_approval, the human operator receives a push notification, reviews the action, and approves or rejects it with biometrics. The agent then decides whether to proceed based on the response.
These are CLI-only operations, run via Bash:
| Invocation | Action |
|---|---|
| --- | --- |
/agentmfa list | Run agentmfa agent list and display the results. |
/agentmfa status | Run agentmfa auth status to show login state. |
agentmfa serve — part of the AgentMFA CLI; stdio MCP on your machine, talking to api.agentmfa.aiagentmfa auth login (session in the system keychain)The agentmfa CLI must be installed and logged in before this skill can be used.
# 1. Install the CLI
brew install agentmfa/cli/agentmfa
# 2. Log in (opens browser for OAuth)
agentmfa auth login
Registration happens automatically via the register_agent MCP tool — no manual step needed.
The agent should call AgentMFA tools before:
Common risky actions requiring approval:
git push --force or rewriting historykubectl delete on production resourceskubectl apply/edit to running workloadsterraform apply (especially with deletions shown in plan)terraform destroy on any environmentrm -rf or bulk file deletionsgit push -f)Note: AgentMFA does not automatically detect sensitive actions. The agent must recognize the risk and explicitly invoke the approval flow.
This skill uses the AgentMFA MCP tools exposed by agentmfa serve. Your agent uses only MCP tool calls — no direct HTTP.
Tool parameter names must match the MCP schema your client shows (see table below). Put the short label in action and full detail in context so the operator sees enough to decide.
1. Call register_agent()
→ Checks if already registered — returns immediately if so
→ If not registered, registers and waits for approval (auto or mobile)
→ Returns: { status, tool, remote, message }
⚠️ Relay the message to the user
2. Call request_approval(action, description, context?)
→ Returns: { request_id, message }
⚠️ Relay the message so the user knows to check their phone
3. Call wait_for_approval(request_id)
→ Blocks until decided (polls every 1s, default 300s timeout)
→ Approved: { approved: true, totp_verified, token, agent_totp,
server_time, approved_by, approved_from, message }
→ Rejected: { approved: false, reason }
⚠️ On approval, relay the message field verbatim
4a. approved == true → proceed
4b. approved == false → abort and inform the user
Call agent_info() to see the locally detected identity — tool name, repository, branch, machine, code signature, verification mode, and registration status. Useful for debugging.
Use check_approval_status(request_id) to poll once without blocking.
action and context should give the human enough detail to decide| Tool | Parameters | Purpose |
|---|---|---|
| --- | --- | --- |
agent_info | _(none)_ | Local identity data — tool, repo, branch, machine, signature, registration status |
register_agent | role (optional), force (optional boolean) | Register this agent. Checks first, blocks until decided |
request_approval | action (required), description (required), context (optional), services (optional array) | Submit approval request; returns request_id + message |
wait_for_approval | request_id (required), timeout (optional, default 300s) | Block until decided |
check_approval_status | request_id (required) | Single non-blocking poll |
In OpenClaw, MCP tools are namespaced with the server name prefix. Use these exact tool names:
agentmfa__agent_infoagentmfa__register_agentagentmfa__request_approvalagentmfa__wait_for_approvalagentmfa__check_approval_status共 2 个版本