Introducing Secure Administrator Approvals for Personal Assistants

Introducing Secure Administrator Approvals for Personal Assistants

2026-05-23

by Uri Walevski

When building non-isolated personal assistant bots (isolateUsers = false), you often want your assistant to have maximum capability. Under the hood, this means giving it tools to provision real cloud VMs, manage OAuth tokens, and execute code that reads and writes your secrets.

But if other people—such as team members, group chat participants, or external contacts messaging your bot via connected WhatsApp (Supergreen) numbers/accounts—are interacting with your assistant, a critical security issue arises. Because isolateUsers = false is active, there are no independent user sandboxes. All participants share the same session context, and anyone who can reach your bot's Supergreen number or mention it in a shared group can potentially prompt-inject the assistant. A clever instruction or a malicious user could convince the assistant to perform sensitive operations like spinning up heavy cloud VMs, exposing your OAuth tokens, or reading API keys on their behalf.

Today, we're introducing Secure Administrator Approvals to elegantly solve this security surface.

The Problem with Useful Assistants

Useful assistants need real power. If your assistant can deploy code, check production logs, or integrate with Google Drive, it needs credentials and execution environments.

In personal assistant bots, users are not isolated. This is by design: you want your assistant to coordinate tasks across multiple users or be available to a shared group. However, when the assistant is connected to public channels like a WhatsApp Business or Supergreen account, any contact or group participant can send a message. Since there is no user isolation, a non-admin user talking to the bot in a group chat could potentially trick the bot into using these administrative tools. Keeping the bot useful to you while ensuring it doesn't leak power to others is a difficult tension.

The Solution: Paused Execution & One-Time Approvals

From now on, we automatically intercept sensitive tool calls if the bot is non-isolated (isolateUsers = false) and the current conversation is not with one of the bot's configured administrators:

  1. Paused Execution: When the agent attempts to create a VM (create_vm), initiate/refresh an OAuth flow (create_oauth_callback, refresh_oauth_token), or run a Safescript program that maps encrypted secrets (run_safescript), the tool immediately pauses and returns: "requesting admin permission for this action, once admins approve you'll get notified"
  2. One-Time Link Generation: The system instantly registers a pending approval request in our secure database with a secure, unguessable UUID and a strictly enforced 10-minute expiration.
  3. Admin Escalation: A secure, one-time approval link is automatically sent to the bot's administrators. If an admin has a registered phone number, they get an instant WhatsApp message (composed by our builder bot); otherwise, they receive a beautifully styled HTML email notification with the requesting user's ID, a direct chat link, and an approve button.
  4. Resuming with Context Injection: Once an admin clicks the link, they see an approval success page. In the background, the server injects a system thought into the chat history: [System notification: The administrator has approved your request to execute <toolName> (Request ID: <requestId>). You can now re-call the tool and include this request_id.] This automatically wakes the agent up and triggers a safe re-run where it can proceed using the single-use request_id.

Guest Developer Friendliness

If you are a guest developer just trying out prompt2bot, or if you haven't set up your administrator email or phone yet, you won't be locked out.

The system automatically detects if the bot lacks any contactable admins (no registered phone or email). If so, it bypasses the approval flow so your development, testing, and iteration remain completely instant and friction-free.

Zero-Duplication, Complete Security

By wrapping the exact execution boundaries—VM creation, OAuth initiation, and static Safescript secret mapping—we've secured the entire assistant capability layer with zero code duplication. Your credentials and cloud compute remain fully locked down, allowing you to safely share your personal assistants with group chats and external users without fear of abuse!

← All posts