TOTP
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is a coherent TOTP verification helper, but users should handle the generated secret and QR code carefully.
This appears safe for its stated purpose. Before installing, make sure you trust the local setup environment, keep TOTP_SECRET private, delete the generated qr.png after enrollment, and require clear confirmation for destructive actions even after OTP verification.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can see the setup output or copied secret could generate valid OTP codes.
The setup script intentionally prints the TOTP shared secret so the user can configure an authenticator app and .env file.
console.log('New TOTP_SECRET:'); ... console.log(secret); ... console.log(`TOTP_SECRET=${secret}`);Run setup in a trusted environment, avoid sharing logs containing the secret, and rotate the secret if it may have been exposed.
If the QR image is left behind or sent to the wrong recipient, another person could enroll the authenticator secret.
The QR image contains the TOTP enrollment secret and is temporarily written to disk during setup.
Send the QR image (`qr.png`) to the user, then delete it immediately
Only share the QR with the intended user, delete qr.png immediately after enrollment, and verify file permissions around the skill directory.
Installation will rely on npm dependency resolution for transitive packages.
The skill depends on npm packages for TOTP and QR-code generation. The direct versions are fixed, but no lockfile is included in the provided artifacts.
"dependencies": { "@otplib/preset-default": "12.0.1", "qrcode": "1.5.3" }Install from a trusted package registry and consider adding a package lockfile or using a reproducible install process.
A valid OTP may be treated as approval for sensitive actions, so users should understand what action is being authorized.
The skill is intended to gate high-impact operations after OTP verification, but it does not itself perform those operations.
If valid (exit 0): Proceed with operation ... backup deletion ... critical configuration changes
Use OTP verification together with clear action-specific confirmation for destructive or irreversible tasks.