mfa-setup - SKILL.md Agent Skill

name: mfa-setup description: 'Guide users through AirVaults MFA setup and explain validation process'

AirVaults MFA Setup Skill

Overview

This OpenClaw instance uses AirVaults for zero-friction MFA on risky actions. Actions are validated automatically in ~150ms with no user interaction required.

How It Works

Risky Action Detected - When you attempt dangerous operations (file deletion, privilege escalation, etc.)
AirVaults Validates - The action is sent to your AirVaults MFA vault
Automatic Decision - AirVaults evaluates risk and returns approve/deny (~150ms)
Execute or Block - Action proceeds if approved, blocks if denied

User sees instant execution - no codes, no prompts, no waiting.

Setup Instructions

When a user asks to set up MFA:

Tell them to create an MFA vault in their AirVaults app:
- Open AirVaults mobile app
- Create a new vault with engine type "MFA"
- Set risk threshold (0.0 = deny all, 0.5 = moderate, 1.0 = approve all)
- Copy the vault_uid and access_token

Link the vault to this OpenClaw instance:

/mfa setup vault_uid=<vault_uid> access_token=<token>

Confirm binding:
- You'll see "✓ AirVaults MFA linked!"
- Risky actions will now require validation

Checking Status

Use /mfa status to see:

Vault connection status
Risk threshold setting
Recent challenge decisions
Approval/denial statistics

What Gets Validated

Risky Tools:

exec - Shell commands
write/edit - File operations
browser - Browser automation
gateway - Config changes

Risky Patterns:

rm -rf - Recursive deletes
sudo - Privilege escalation
chmod 777 - Dangerous permissions
curl | bash - Pipe to shell

User Experience Examples

Approved Action:

User: Delete all temp files in /var/tmp
Assistant: I'll clean up the temp files.
[Validates via AirVaults - approved in 145ms]
Assistant: ✓ Verified. Removed 47 files from /var/tmp/

Denied Action:

User: Delete all files in my home directory
Assistant: [Validates via AirVaults - denied]
Assistant: ✗ Action blocked by AirVaults MFA
Reason: Risk score 0.95 > threshold 0.5

AirVaults Unavailable:

User: Run database migration
Assistant: [AirVaults timeout]
Assistant: ⚠️ AirVaults MFA unavailable. Falling back to OpenClaw defaults.
[Uses standard exec approval flow if enabled]

Teaching Points

Zero friction - No codes to type, instant validation
Every dangerous action - No caching, no grace periods
Automatic fallback - If AirVaults down, uses OpenClaw defaults
Configurable - User sets risk threshold in AirVaults app

Common Questions

Q: Do I need to approve each action? A: No! AirVaults validates automatically based on your risk threshold. You set it once and forget it.

Q: What if AirVaults is down? A: It falls back to OpenClaw's standard security (exec approvals, allowlists, etc.).

Q: Can I see what was approved/denied? A: Yes, use /mfa status to see recent challenges and decisions.

Q: How do I change the risk threshold? A: Update it in your AirVaults app - changes take effect immediately.