SaaS admin integration
Promoting a bot to workspace owner needs a human signature.
Admin escalation is the most-targeted SaaS path: a bot promoted to owner can install backdoor apps, exfiltrate channels, or pivot into adjacent SaaS via OAuth. Manav binds the promotion to a real human approver - the action does not happen until the human signs.
Before: HIGH
After: LOW
The signatureAdmin changes pause until a verified human signs.
Workspace admin action
Grant @opsbot the workspace owner role
acme-ai.slack.com · 142 members · 38 channels · 7 integrations
Target user
OB
@opsbot · bot integration
Current rolemember
Requested roleworkspace owner
Requested by@opsbot via slash command
The most-targeted vector
Admin escalation = lateral kill chain.
Once a bot is owner, it can install OAuth apps, add itself to private channels, and pivot to connected systems. The breach is not a phishing email - it's a single API call you didn't gate.
{
"workType": "admin_change",
"target": { "role": "owner" },
"actor": "opsbot",
"manavProof": null
}
// → HIGH_RISK_ACTION_WITHOUT_SIGNATURE · severity: critical
The protection. A Slack workflow step calls
manav.sign({ actionType: 'admin_change' }) and only finalizes the role change if the response is verified. The bot can never satisfy this - only a real human approver can.
@opsbot calls the API directly
POST /api/admin.users.setOwner
Authorization: Bearer xoxb-bot-eyJxx…
{ "user": "U_OPSBOT" }
// missing X-Manav-Proof header
428 Precondition Required
HTTP 428 · "this action requires a manav proof header". Bot is rate-limited and a critical anomaly is paged.
What Manav writes
{
"event": "HIGH_RISK_ACTION_BLOCKED",
"reason": "NO_HUMAN_SIGNATURE",
"actor": "opsbot",
"target": { "role": "owner" },
"severity": "critical"
}
A human admin opens a one-click sign request in Slack and approves with a passkey. Only then does setOwner succeed.
Engineer · 5 min
Keep the tour going.
Next: Fake commit - Code commit at 03:14 with no human session bound.