otp-challenger
Enable agents and skills to challenge users for fresh two-factor authentication proof (TOTP or YubiKey) before executing sensitive actions. Use this for identity verification in approval workflows - deploy commands, financial operations, data access, admin operations, and change control.
Why use this skill?
Enhance agent security with the otp-challenger skill. Protect deployments, financial tasks, and data access with TOTP and YubiKey verification flows.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/ryancnelson/otp-challengerWhat This Skill Does
The otp-challenger skill provides a robust security layer for OpenClaw agents, requiring users to authenticate via TOTP (Time-based One-Time Password) or YubiKey before performing sensitive operations. It serves as a "gatekeeper" for high-stakes workflows, ensuring that critical actions are authorized by a verified identity. By enforcing fresh two-factor authentication, the skill significantly mitigates risks associated with session hijacking or unauthorized command execution. It tracks verification state automatically in a secure JSON file, allowing for configurable TTLs (Time-To-Live) that ensure security without being overly burdensome on the user during routine, multi-step workflows.
Installation
To integrate this skill into your OpenClaw environment, execute the following command in your terminal:
clawhub install openclaw/skills/skills/ryancnelson/otp-challenger
Once installed, configure your authentication providers by setting the required environment variables or updating your ~/.openclaw/config.yaml file. You must provide an OTP_SECRET for standard TOTP support, and optionally, Yubico API credentials if you wish to support hardware-based YubiKey authentication. Ensure the directory path specified in OTP_STATE_FILE has the necessary write permissions for your agent user.
Use Cases
- Cloud Infrastructure: Require an OTP before running
terraform applyorkubectl deletecommands to prevent accidental production outages. - Administrative Access: Protect sensitive user database modifications or permission escalation commands behind an identity check.
- Financial Approval: Integrate with financial pipelines to verify identity before executing wire transfers or payment processing scripts.
- Data Privacy: Use it as a prerequisite for accessing or exporting PII and other sensitive customer data to ensure compliance with security audits.
Example Prompts
- "Run the production deployment script, but verify my identity using the otp-challenger skill first."
- "I need to delete the user account 'john_doe'. Please trigger an OTP challenge before executing the command."
- "Check if my current session is verified to perform high-privilege financial operations; if not, initiate the verification process."
Tips & Limitations
- State Management: The
otp-state.jsonfile is vital; ensure it is not backed up or exposed in public repositories as it tracks authentication timestamps. - ModHex Requirements: When using YubiKey, ensure your hardware is configured to emit the standard 44-character ModHex string. The skill will fail if it receives an invalid format.
- Automation: For programmatic usage, always check the status with
check-status.shbefore prompting the user for an OTP to avoid redundant friction. - Limitations: This skill assumes the underlying environment is secure; it does not replace identity provider (IdP) integration but rather acts as a local security enforcement point for agent-driven tasks.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-ryancnelson-otp-challenger": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read, file-write, external-api