otp-challenger

Enable agents and skills to challenge users for fresh two-factor authentication proof (TOTP or YubiKey) before executing sensitive actions. Use this for identity verification in approval workflows - deploy commands, financial operations, data access, admin operations, and change control.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "otp-challenger" with this command: npx skills add ryancnelson/otp-challenger

OTP Identity Challenge Skill

Challenge users for fresh two-factor authentication before sensitive actions.

When to Use

Require OTP verification before:

  • Deploy commands (kubectl apply, terraform apply)
  • Financial operations (transfers, payment approvals)
  • Data access (PII exports, customer data)
  • Admin operations (user modifications, permission changes)

Scripts

verify.sh

Verify a user's OTP code and record verification state.

./verify.sh <user_id> <code>

Parameters:

  • user_id - Identifier for the user (e.g., email, username)
  • code - Either 6-digit TOTP or 44-character YubiKey OTP

Exit codes:

  • 0 - Verification successful
  • 1 - Invalid code or rate limited
  • 2 - Configuration error (missing secret, invalid format)

Output on success:

✅ OTP verified for <user_id> (valid for 24 hours)
✅ YubiKey verified for <user_id> (valid for 24 hours)

Output on failure:

❌ Invalid OTP code
❌ Too many attempts. Try again in X minutes.
❌ Invalid code format. Expected 6-digit TOTP or 44-character YubiKey OTP.

check-status.sh

Check if a user's verification is still valid.

./check-status.sh <user_id>

Exit codes:

  • 0 - User has valid (non-expired) verification
  • 1 - User not verified or verification expired

Output:

✅ Valid for 23 more hours
⚠️ Expired 2 hours ago
❌ Never verified

generate-secret.sh

Generate a new TOTP secret with QR code (requires qrencode to be installed).

./generate-secret.sh <account_name>

Usage Pattern

#!/bin/bash
source ../otp/verify.sh

if ! verify_otp "$USER_ID" "$OTP_CODE"; then
  echo "🔒 This action requires OTP verification"
  exit 1
fi

# Proceed with sensitive action

Configuration

Required for TOTP:

  • OTP_SECRET - Base32 TOTP secret

Required for YubiKey:

  • YUBIKEY_CLIENT_ID - Yubico API client ID
  • YUBIKEY_SECRET_KEY - Yubico API secret key (base64)

Optional:

  • OTP_INTERVAL_HOURS - Verification expiry (default: 24)
  • OTP_MAX_FAILURES - Failed attempts before rate limiting (default: 3)
  • OTP_STATE_FILE - State file path (default: memory/otp-state.json)

Configuration can be set via environment variables or in ~/.openclaw/config.yaml:

security:
  otp:
    secret: "BASE32_SECRET"
  yubikey:
    clientId: "12345"
    secretKey: "base64secret"

Code Format Detection

The script auto-detects code type:

  • 6 digits (123456) → TOTP validation
  • 44 ModHex characters (cccccc...) → YubiKey validation

ModHex alphabet: cbdefghijklnrtuv

State File

Verification state stored in memory/otp-state.json. Contains only timestamps, no secrets.

Human Documentation

See README.md for:

  • Installation instructions
  • Setup guides (TOTP and YubiKey)
  • Security considerations
  • Troubleshooting
  • Examples

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Auto Authenticator Local

Use when the user wants a local-first TOTP helper for accounts they personally own or are explicitly authorized to access. This skill stores TOTP seeds in sy...

Registry SourceRecently Updated
063
Profile unavailable
Security

agent-bom

Security scanner for AI infrastructure and supply chain — discovers MCP clients and servers, scans for CVEs, maps blast radius, generates SBOMs, runs CIS ben...

Registry SourceRecently Updated
0799
msaad00
Security

Session Password

Provides secure session authentication using bcrypt-hashed passwords, security questions, email recovery, and lockout protection with audit logging.

Registry SourceRecently Updated
119
Profile unavailable