Medusa Slack Gate
FreeNot checkedHuman-in-the-loop approval gate for MCP agents, classifying tool calls by risk and requiring Slack-based human approval for medium/high risk actions.
About
Human-in-the-loop approval gate for MCP agents, classifying tool calls by risk and requiring Slack-based human approval for medium/high risk actions.
README
Human-in-the-loop approval for autonomous AI agents — enforced where teams already work: Slack.
Built for the Slack Agent Builder Challenge (Salesforce/Devpost).
⚠️ Eligibility note: Quebec residents are excluded from this hackathon's prize track per the official rules ("Canada, excluding Quebec"). This submission is a portfolio/proof-of-concept build, not a prize entry.
The Problem
Autonomous AI agents are getting real tool access — posting to channels, updating user roles, writing to databases. Most agent frameworks have no concept of "this action is risky enough that a human should see it first." One bad tool call and an agent can broadcast a false outage notice, grant admin access, or wipe production data — with nobody in the loop until it's already done.
The Solution: 4-Pillar Zero-Trust Gate
Medusa Slack Gate wraps any MCP-connected agent with a deterministic risk gate:
- Risk classification — every tool call is scored LOW / MEDIUM / HIGH based on the tool name and payload (e.g. anything touching
user_role,admin, orbroadcastkeys is automatically HIGH) - Auto-pass for LOW risk — reads, replies, and other non-destructive actions execute immediately, no friction
- Freeze + human approval for MEDIUM/HIGH — the action is held, logged as
PENDINGin an append-only SQLite audit trail, and a real Slack Block Kit card is posted with Approve / Deny buttons - Real-time unblock — a human clicks in Slack, the click flows through a Bolt Socket Mode receiver, the audit log updates, and the waiting agent resumes (or is denied) within seconds
No agent action executes in the MEDIUM/HIGH path without a human's explicit click. No exceptions, no silent timeouts that default to "allow."
Architecture
sequenceDiagram
autonumber
actor User as Administrateur (Phil)
participant Agent as Agent IA (Mock)
participant Gate as Medusa MCP Gate
participant DB as Base SQLite (Audit Log)
participant Slack as Canal #agent-approvals
Note over Agent, Gate: Étape 1 : Action Bas Risque (LOW)
Agent->>Gate: Appelle l'outil 'reply_thread'
Gate->>Gate: Évaluation : Risque Bas (LOW)
Gate-->>Agent: Statut : AUTO_PASSED (Exécution immédiate)
Note over Agent, Slack: Étape 2 : Action Haut Risque (HIGH)
Agent->>Gate: Appelle l'outil 'post_public_announcement'
Gate->>Gate: Évaluation : Risque Élevé (HIGH)
Gate->>DB: Enregistre la requête (Statut: PENDING)
Gate->>Slack: Envoie la carte interactive (Block Kit)
Note over Agent: L'Agent IA se fige (Polling actif)
Note over Slack, Agent: Étape 3 : Validation Humaine en Temps Réel
User->>Slack: Clique sur le bouton vert [Approve]
Slack->>DB: Le récepteur Bolt met à jour la base (Statut: APPROVED)
DB-->>Gate: Le polling détecte le changement de statut
Gate-->>Agent: Renvoie la décision : APPROVED
Note over Agent: L'Agent IA se débloque et s'exécute !
Gate->>Slack: Met à jour la carte (Affichage: ✅ APPROVED)
Stack: Model Context Protocol (MCP) · Slack Bolt SDK (Socket Mode — no public endpoint required) · Slack Block Kit · SQLite (audit trail)
Live Demo Result
Real end-to-end run, real Slack workspace, real human click:
{
"tool_name": "post_public_announcement",
"decision": "APPROVED",
"risk_level": "HIGH",
"request_id": "c2f5206b1b47",
"executed": true,
"result": "[executed] post_public_announcement with {'public_announcement': True, 'channel': '#general'}"
}
The Slack card updated in place to ✅ APPROVED by @Phil Mach-1 the instant the button was clicked — no polling delay visible to the human approver.
A LOW-risk action in the same run passed through instantly with zero Slack noise:
{
"tool_name": "reply_thread",
"decision": "AUTO_PASSED",
"risk_level": "LOW",
"executed": true
}
Installation
git clone <this-repo>
cd slack_agent
pip install -r requirements.txt
Create a Slack app from the manifest below (Create App → From a manifest):
{
"display_information": {
"name": "Medusa Slack Gate",
"description": "Human approval gate for risky agent actions before execution.",
"background_color": "#050810"
},
"features": {
"bot_user": { "display_name": "Medusa Gatekeeper", "always_online": true }
},
"oauth_config": {
"scopes": { "bot": ["chat:write", "commands"] }
},
"settings": {
"interactivity": { "is_enabled": true },
"org_deploy_enabled": false,
"socket_mode_enabled": true,
"token_rotation_enabled": false
}
}
Generate an App-Level Token (connections:write scope), install the app, invite the bot to your approval channel, then create .env:
Installing Medusa Slack Gate
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/Mister-Phil/slack-agent-security-gateFAQ
Is Medusa Slack Gate MCP free?
Yes, Medusa Slack Gate MCP is free — one-click install via Unyly at no cost.
Does Medusa Slack Gate need an API key?
No, Medusa Slack Gate runs without API keys or environment variables.
Is Medusa Slack Gate hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install Medusa Slack Gate in Claude Desktop, Claude Code or Cursor?
Open Medusa Slack Gate on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
Gmail
Read, send and search emails from Claude
by GoogleSlack
Send, search and summarize Slack messages
by SlackRunbear
No-code MCP client for team chat platforms, such as Slack, Microsoft Teams, and Discord.
Discord Server
A community discord server dedicated to MCP by [Frank Fiegel](https://github.com/punkpeye)
Compare Medusa Slack Gate with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All communication MCPs
