totp

TOTP-based OTP verification for sensitive operations (env vars, gateway restarts, backup deletions, critical config changes). Uses otplib with window:2 (1 minute tolerance).

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "totp" with this command: npx skills add diegofcornejo/totp

TOTP Verification Skill

Secure OTP verification using TOTP (Time-based One-Time Password) for sensitive operations.

Purpose

Protect access to:

  • .env variables
  • openclaw.json configuration
  • Gateway restarts
  • Backup deletions
  • Critical configuration changes
  • External API key operations

Setup

  1. Install dependencies:

    npm install

  2. Generate secret and QR:

    npm run generate

    Optionally pass service and account name:

    node scripts/generate-secret.js MyService myuser

  3. Send the QR image (qr.png) to the user, then delete it immediately:

    rm qr.png

  4. Set TOTP_SECRET in .env:

    TOTP_SECRET=YOUR_BASE32_SECRET_HERE

  5. Configure Google Authenticator/Authy with the generated secret or QR.

Usage

When a sensitive operation is requested:

  1. Agent: "Please provide your OTP"
  2. User: Provides 6-digit code from authenticator app
  3. Agent: Runs verification: 
    TOTP_SECRET=$TOTP_SECRET node scripts/verify.js 123456
  4. If valid (exit 0): Proceed with operation
  5. If invalid (exit 1): Deny access

Files

  • scripts/generate-secret.js - Generate new TOTP secret and QR
  • scripts/verify.js - Verify OTP tokens (window:2 = 1 minute tolerance)
  • SKILL.md - This documentation

Security Notes

  • Window: 2 (1 minute tolerance) for time drift
  • Algorithm: SHA1
  • Digits: 6
  • Period: 30 seconds
  • Secret: Base32 encoded, stored in .env as TOTP_SECRET

Integration

This skill should be integrated into the agent's decision flow when:

  1. User requests .env variables
  2. User requests openclaw.json contents
  3. User requests gateway restart
  4. User requests backup deletion
  5. Any operation marked as "critical"

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

Fitbit Tracker

Personal Fitbit integration for daily health tracking with adaptive sleep and activity reporting

Registry SourceRecently Updated
1922crabsticksalad
General

Ollama Load Balancer

Ollama load balancer for Llama, Qwen, DeepSeek, and Mistral inference across multiple machines. Load balancing with auto-discovery via mDNS, health checks, q...

Registry SourceRecently Updated
2570twinsgeeks
General

Google Merchant Center

Google Merchant Center integration. Manage Accounts. Use when the user wants to interact with Google Merchant Center data.

Registry SourceRecently Updated
1960membranedev
General

Twitter/X All-in-One — Search, Monitor & Publish Text & Media Posts

Searches and reads X (Twitter): profiles, timelines, mentions, followers, tweet search, trends, lists, communities, and Spaces. Publishes posts, likes/unlike...

Registry SourceRecently Updated
2401aisadocs