Human In The Loop Gate
Add a human approval checkpoint to an agent so it pauses before a risky or irreversible action (spending money, deleting data, sending messages, merging code) and resumes only after a human approves. Use when an agent acts autonomously on consequential operations.
Install to ~/.claude/skills/human-in-the-loop-gate/SKILL.md
Autonomy is great until an agent does something irreversible. This skill inserts a human-in-the-loop gate: classify which actions are consequential, interrupt the agent before them with the proposed action and its context, and resume (or abort) based on the human's decision — durably, so a restart doesn't lose state.
An agent that can act autonomously will eventually try to do something you'd want to stop — spend money, delete a record, email a customer, force-push to main. A human-in-the-loop (HITL) gate makes consequential actions require approval without turning the whole agent into a manual tool. This skill adds that gate cleanly.
When to use this skill
- An agent performs irreversible or costly actions (payments, deletions, deploys, outbound messages, merges).
- You're moving an agent from a trusted sandbox toward production or real-user traffic.
- A compliance or safety requirement mandates a human checkpoint before certain operations.
Instructions
- Classify actions by consequence. Separate reversible/cheap actions (read a file, search) the agent may do freely from consequential ones (write to prod, spend, send, delete) that require approval. Gate only the latter — gating everything destroys the point of an agent.
- Interrupt before the action, not after. At the gate, pause the agent and surface the proposed action plus its context: exactly what it will do, the arguments, and why. The human approves, edits, or rejects.
- Make the pause durable. Persist agent state at the interrupt (checkpoint) so approval can come seconds or hours later, and a process restart doesn't lose the run. Frameworks like LangGraph provide interrupt/resume primitives; for others, persist state explicitly.
- Handle all three outcomes. Approve → resume from the checkpoint. Edit → resume with the modified action. Reject → abort safely (no partial side effects) and record the reason.
- Fail safe and audit. Default to not acting on timeout or ambiguity, and log every gated decision (action, context, who approved, outcome) for accountability.
- Right-size the friction. Too many prompts and humans rubber-stamp; too few and risky actions slip through. Gate by genuine blast radius, and consider thresholds (e.g. approve refunds over $X).
WARNING
A gate that fires on everything trains humans to approve blindly — which is worse than no gate, because it looks safe. Gate only genuinely consequential actions, and show enough context to make a real decision.
NOTE
The gate must be enforced where the action executes (the tool layer), not just requested in the prompt. A prompt instruction to "ask first" is a suggestion; a code-level interrupt is a guarantee.
Output
A working approval gate: the action-consequence classification, the interrupt/resume implementation with durable state, the approve/edit/reject handling, fail-safe defaults, and an audit log of decisions.
Related
- Add Human Approval StepScaffold a human-in-the-loop approval gate into an agent so it pauses before a consequential action and resumes after approval.
- Agent Reliability ReviewerUse this agent to make an AI agent production-ready — reviewing its loops, cost controls, error handling, tool use, human-in-the-loop gates, checkpointing, and observability, then reporting concrete failure modes and fixes. Examples — "is our agent safe to ship?", "our agent loops forever / burns tokens, harden it", "add guardrails and recovery before we put this agent in front of users".
- Production Tool & Function Calling: Feed Errors Back as ObservationsHow agents use tools — the call/observe/retry loop, why errors must return to the model, and the schemas, idempotency, and limits that keep it reliable.
- Which Agent Framework in 2026? LangGraph vs CrewAI vs AutoGen vs OpenAI Agents SDK vs Claude Agent SDKA decision guide to the major AI agent frameworks — control vs. abstraction, multi-agent models, state and durability, and which fits your project.
- Securing AI Agents: The OWASP Agentic Top 10 in PracticeAgents add risks LLM-app security misses — autonomy, tools, memory, multi-agent trust. The key OWASP agentic threats and how to mitigate each in practice.