ClawHub

EngageLab OTP

v1.0.1

Call EngageLab OTP REST APIs to send one-time passwords (OTP), verify codes, send custom messages, and manage OTP templates across SMS, WhatsApp, Email, and...

0· 246·0 current·0 all-time
by@devengagelab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included materials: a REST client (otp_client.py), webhook verifier (verify_callback.py), and comprehensive API docs. All requested capabilities (send/verify/templates/callbacks/SMPP) are implemented or documented; there are no unrelated credential requests or surprising binaries.
Instruction Scope
SKILL.md instructs how to authenticate (dev_key/dev_secret), which endpoints to call, and how to validate callbacks. The instructions do not direct the agent to read unrelated files, harvest environment variables, or send data to unexpected endpoints. Webhook verification code and callback docs are scoped to securing incoming callbacks.
Install Mechanism
This is an instruction-only skill with Python helper scripts; there is no install spec. The client uses the 'requests' package but no dependency list is declared — the user/agent must ensure Python and requests are available. No network downloads or external installers are embedded.
Credentials
The skill does not declare required environment variables or primary credentials. It legitimately needs the user's dev_key/dev_secret to call the API; SKILL.md instructs the agent to ask the user if credentials are missing. No unrelated secrets or config paths are requested.
Persistence & Privilege
always is false and the skill does not request persistent/privileged system presence or modify other skills. Autonomous invocation is allowed by default but there are no additional high-risk privileges granted.
Assessment
This package appears to be a straightforward OTP API client + webhook verifier. Before installing or using it: 1) Verify the API base URL and that you trust the EngageLab service and the skill author. 2) Never paste production dev_key/dev_secret into an untrusted interface — provide credentials only to agents or systems you trust. 3) If you deploy verify_callback.py, protect the callback secret and restrict inbound traffic (use the documented IP whitelist if appropriate). 4) Ensure Python and the 'requests' library are available (the package doesn't declare dependencies). 5) Review the template and message-sending code if you plan to send messages to users (to avoid accidental spam or regulatory problems). 6) Rotate keys if you suspect exposure and limit API keys' permissions where possible.

Like a lobster shell, security has layers — review code before you run it.

latestvk9735kkn339cha4zx11jr3tfpn83pjr7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments