Medusa Slack Gate
Provides human-in-the-loop approval for risky autonomous agent actions via Slack Block Kit interactive buttons, enabling agents to request approval before executing high-risk tool calls.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Medusa Slack GateApprove a high-risk action to post a public announcement in #general"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Medusa Slack Gate
Human-in-the-loop approval for autonomous AI agents — enforced where teams already work: Slack.
Built for the Slack Agent Builder Challenge (Salesforce/Devpost).
⚠️ Eligibility note: Quebec residents are excluded from this hackathon's prize track per the official rules ("Canada, excluding Quebec"). This submission is a portfolio/proof-of-concept build, not a prize entry.
The Problem
Autonomous AI agents are getting real tool access — posting to channels, updating user roles, writing to databases. Most agent frameworks have no concept of "this action is risky enough that a human should see it first." One bad tool call and an agent can broadcast a false outage notice, grant admin access, or wipe production data — with nobody in the loop until it's already done.
Related MCP server: MCP Action Firewall
The Solution: 4-Pillar Zero-Trust Gate
Medusa Slack Gate wraps any MCP-connected agent with a deterministic risk gate:
Risk classification — every tool call is scored LOW / MEDIUM / HIGH based on the tool name and payload (e.g. anything touching
user_role,admin, orbroadcastkeys is automatically HIGH)Auto-pass for LOW risk — reads, replies, and other non-destructive actions execute immediately, no friction
Freeze + human approval for MEDIUM/HIGH — the action is held, logged as
PENDINGin an append-only SQLite audit trail, and a real Slack Block Kit card is posted with Approve / Deny buttonsReal-time unblock — a human clicks in Slack, the click flows through a Bolt Socket Mode receiver, the audit log updates, and the waiting agent resumes (or is denied) within seconds
No agent action executes in the MEDIUM/HIGH path without a human's explicit click. No exceptions, no silent timeouts that default to "allow."
Architecture
sequenceDiagram
autonumber
actor User as Administrateur (Phil)
participant Agent as Agent IA (Mock)
participant Gate as Medusa MCP Gate
participant DB as Base SQLite (Audit Log)
participant Slack as Canal #agent-approvals
Note over Agent, Gate: Étape 1 : Action Bas Risque (LOW)
Agent->>Gate: Appelle l'outil 'reply_thread'
Gate->>Gate: Évaluation : Risque Bas (LOW)
Gate-->>Agent: Statut : AUTO_PASSED (Exécution immédiate)
Note over Agent, Slack: Étape 2 : Action Haut Risque (HIGH)
Agent->>Gate: Appelle l'outil 'post_public_announcement'
Gate->>Gate: Évaluation : Risque Élevé (HIGH)
Gate->>DB: Enregistre la requête (Statut: PENDING)
Gate->>Slack: Envoie la carte interactive (Block Kit)
Note over Agent: L'Agent IA se fige (Polling actif)
Note over Slack, Agent: Étape 3 : Validation Humaine en Temps Réel
User->>Slack: Clique sur le bouton vert [Approve]
Slack->>DB: Le récepteur Bolt met à jour la base (Statut: APPROVED)
DB-->>Gate: Le polling détecte le changement de statut
Gate-->>Agent: Renvoie la décision : APPROVED
Note over Agent: L'Agent IA se débloque et s'exécute !
Gate->>Slack: Met à jour la carte (Affichage: ✅ APPROVED)Stack: Model Context Protocol (MCP) · Slack Bolt SDK (Socket Mode — no public endpoint required) · Slack Block Kit · SQLite (audit trail)
Live Demo Result
Real end-to-end run, real Slack workspace, real human click:
{
"tool_name": "post_public_announcement",
"decision": "APPROVED",
"risk_level": "HIGH",
"request_id": "c2f5206b1b47",
"executed": true,
"result": "[executed] post_public_announcement with {'public_announcement': True, 'channel': '#general'}"
}The Slack card updated in place to ✅ APPROVED by @Phil Mach-1 the instant the button was clicked — no polling delay visible to the human approver.
A LOW-risk action in the same run passed through instantly with zero Slack noise:
{
"tool_name": "reply_thread",
"decision": "AUTO_PASSED",
"risk_level": "LOW",
"executed": true
}Installation
git clone <this-repo>
cd slack_agent
pip install -r requirements.txtCreate a Slack app from the manifest below (Create App → From a manifest):
{
"display_information": {
"name": "Medusa Slack Gate",
"description": "Human approval gate for risky agent actions before execution.",
"background_color": "#050810"
},
"features": {
"bot_user": { "display_name": "Medusa Gatekeeper", "always_online": true }
},
"oauth_config": {
"scopes": { "bot": ["chat:write", "commands"] }
},
"settings": {
"interactivity": { "is_enabled": true },
"org_deploy_enabled": false,
"socket_mode_enabled": true,
"token_rotation_enabled": false
}
}Generate an App-Level Token (connections:write scope), install the app, invite the bot to your approval channel, then create .env:
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Mister-Phil/slack-agent-security-gate'
If you have feedback or need assistance with the MCP directory API, please join our Discord server