Secure Administrator Approval Flow for Group-Chat Assistants Against Prompt Injection

The r/ClaudeAI post "Mitigating prompt injections in group-chat assistants: Pausing VM and OAuth tool execution for admin approvals" describes a practical security pattern for LLM-based assistants connected to public or shared channels (e.g., WhatsApp via Supergreen or group chats). The core problem: when multiple users share the same session history, any participant can prompt-inject the assistant to trigger dangerous tools — spinning up cloud resources, running code with mapped secrets, or fetching OAuth tokens.

Secure Administrator Approval Flow

The proposed solution in prompt2bot is a Secure Administrator Approval flow that intercepts high-risk tool executions:

• When a non-admin user triggers create_vm, run_safescript (custom code execution with mapped secrets), or OAuth flows, the tool pauses execution and returns: "requesting admin permission...".
• An approval link with a 10-minute TTL is automatically sent to configured administrators via WhatsApp or email.
• Once approved, a background job injects a system notification into the conversation history: [System notification: The administrator has approved your request to execute <toolName> (Request ID: <requestId>)].
• This thought-injection wakes the agent loop, which re-calls the tool with the approved request_id to continue seamlessly.
• For guest users (bot owners without configured email/phone), approvals are bypassed for frictionless developer testing.

Who This Is For

Developers building highly capable assistants that operate in shared channels and need to secure powerful tool access against prompt injection attacks from untrusted participants.