Feelgoodbot

v1.1.0

Set up feelgoodbot file integrity monitoring and TOTP step-up authentication for macOS. Use when the user wants to detect malware, monitor for system tampering, set up security alerts, or require OTP verification for sensitive agent actions.

⭐ 1· 1.5k·0 current·0 all-time

by@kris-hansen

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for kris-hansen/feelgoodbot.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Feelgoodbot" (kris-hansen/feelgoodbot) from ClawHub.
Skill page: https://clawhub.ai/kris-hansen/feelgoodbot
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install feelgoodbot

ClawHub CLI

Package manager switcher

npx clawhub@latest install feelgoodbot

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The SKILL.md and scripts implement a macOS file-integrity monitor and TOTP step-up flow (consistent with the description). However the manifest declares no required binaries or env vars while the instructions and setup.sh clearly require: go (to install the binary), clawdbot (CLI) for webhook integration, and openssl (for token generation). The omission of these required tools in the registry metadata is an incoherence a user should notice.

Instruction Scope

Runtime instructions focus on installing feelgoodbot, creating a baseline, and configuring TOTP. But the agent integration pseudocode instructs the agent to send a Telegram message and wait for a reply (no credentials/config for Telegram are provided) and relies on Clawdbot/webhooks for alerts. The SKILL.md also states it monitors 'AI agent configs (Claude, Cursor)', implying reading other agent config files. The guidance about inter-process messaging is underspecified and could result in accidental disclosure of OTPs or other secrets if the agent's messaging channel isn't secure.

ℹ

Install Mechanism

There is no formal install spec in the registry, but the included scripts use 'go install github.com/kris-hansen/feelgoodbot/cmd/feelgoodbot@latest' which pulls code from GitHub. Using 'go install' from a GitHub module is a common pattern but still executes third-party code fetched at install time — moderate trust should be placed in the upstream repo. The script writes config files and installs a launchd daemon (persistence under macOS).

Credentials

The skill requests no environment variables in metadata, but the setup script reads/writes Clawdbot configuration (reads hooks.enabled and hooks.token, sets a token), writes ~/.config/feelgoodbot/config.yaml, and configures a local webhook secret. The README expects the agent to send messages (Telegram) and to handle OTPs. Requiring access to local agent configs and system binaries is expected for a FIM tool, but the lack of declared dependencies and credentials is inconsistent and could lead to unexpected privilege or data access.

ℹ

Persistence & Privilege

The skill installs and starts a launchd daemon via feelgoodbot daemon install/start. Persistence is reasonable for a file-integrity monitor, but daemon installation may require elevated privileges and will run continuously. The skill does not set always:true and does not attempt to modify other skills' configs in the provided files.

What to consider before installing

Before installing: 1) Verify and inspect the upstream GitHub repo (github.com/kris-hansen/feelgoodbot) — a 'go install' will fetch and compile code from that source. 2) Understand required tools that the registry metadata omitted: you need Go, clawdbot CLI, and openssl available on PATH. 3) The setup script will enable and write Clawdbot webhook config and write ~/.config/feelgoodbot/config.yaml (it generates and stores a webhook secret). If you use Clawdbot, confirm you trust it and that enabling webhooks and restarting the gateway is acceptable. 4) Running the daemon may require elevated privileges to monitor system binaries; decide whether to run in a controlled environment (VM or test mac) first. 5) The agent flow suggests sending OTP prompts over Telegram (or another messaging channel) but no secure transport/config is provided here — ensure your messaging integration will not leak OTPs or secrets. 6) If you are not comfortable auditing the repository code yourself, treat this package cautiously: it executes third-party code at install time and implements persistent monitoring that will access potentially sensitive files (agent configs, system paths).

Like a lobster shell, security has layers — review code before you run it.

latestvk978edjdeqqc97ftbzt8da7grs80rgrh

1.5kdownloads

1stars

2versions

Updated 1mo ago

v1.1.0

MIT-0

feelgoodbot 🛡️

Pronounced "Feel good, bot"

macOS file integrity monitor + TOTP step-up authentication for AI agents.

GitHub: https://github.com/kris-hansen/feelgoodbot

⭐ If you find this useful, please star the repo! It helps others discover it.

Features

File Integrity Monitoring — Detects tampering of system files
TOTP Step-Up Auth — Requires OTP for sensitive agent actions

Part 1: File Integrity Monitoring

Requirements

Go 1.21+ — Install with brew install go
macOS — Uses launchd for daemon

Quick Setup

# Install via go install
go install github.com/kris-hansen/feelgoodbot/cmd/feelgoodbot@latest

# Initialize baseline snapshot
feelgoodbot init

# Install and start daemon
feelgoodbot daemon install
feelgoodbot daemon start

# Check it's running
feelgoodbot status

Clawdbot Integration (Alerts)

Enable webhooks:

clawdbot config set hooks.enabled true
clawdbot config set hooks.token "$(openssl rand -base64 32)"
clawdbot gateway restart

Configure ~/.config/feelgoodbot/config.yaml:

scan_interval: 5m
alerts:
  clawdbot:
    enabled: true
    webhook: "http://127.0.0.1:18789/hooks/wake"
    secret: "<hooks.token from clawdbot config get hooks.token>"
  local_notification: true

What It Monitors

System binaries (/usr/bin, /usr/sbin)
Launch daemons/agents (persistence mechanisms)
SSH authorized_keys, sudoers, PAM
Shell configs (.zshrc, .bashrc)
Browser extensions
AI agent configs (Claude, Cursor)

Part 2: TOTP Step-Up Authentication

Step-up auth requires the user to enter an OTP code from Google Authenticator before the agent can perform sensitive actions.

Setup (User runs in terminal)

# Initialize TOTP (shows QR code to scan)
feelgoodbot totp init --account "user@feelgoodbot"

# Verify it works
feelgoodbot totp verify

# Check status
feelgoodbot totp status

Configure Protected Actions

# List current protected actions
feelgoodbot totp actions list

# Add actions that require step-up
feelgoodbot totp actions add "send_email"
feelgoodbot totp actions add "payment:*"
feelgoodbot totp actions add "delete:*"
feelgoodbot totp actions add "ssh:*"
feelgoodbot totp actions add "publish:*"
feelgoodbot totp actions add "gateway:*"
feelgoodbot totp actions add "voice_call:*"
feelgoodbot totp actions add "message:external"

# Remove an action
feelgoodbot totp actions remove "send_email"

TOTP Commands

Command	Description
`feelgoodbot totp init`	Set up TOTP with QR code
`feelgoodbot totp verify [code]`	Test a code
`feelgoodbot totp status`	Show TOTP status and session
`feelgoodbot totp check <action>`	Check if action needs step-up, prompt if needed
`feelgoodbot totp reset`	Remove TOTP config (requires code)
`feelgoodbot totp backup show`	Show remaining backup codes
`feelgoodbot totp backup regenerate`	Generate new backup codes
`feelgoodbot totp actions list`	List protected actions
`feelgoodbot totp actions add <action>`	Add protected action
`feelgoodbot totp actions remove <action>`	Remove protected action
`feelgoodbot totp respond <code>`	Submit OTP response (for async flow)

Session Caching

After successful authentication, a session is cached for 15 minutes (configurable). Subsequent actions within this window don't require re-authentication.

Agent Integration (IMPORTANT)

Before performing any sensitive action, the agent MUST check step-up requirements.

Action Mapping

Map your intended actions to step-up patterns:

Agent Action	Step-Up Pattern
Sending email	`send_email`
Making payments	`payment:*`
Deleting files	`delete:*`
SSH/remote access	`ssh:*`
Publishing code	`publish:*`
Modifying Clawdbot config	`gateway:*`
Making phone calls	`voice_call:*`
Messaging external contacts	`message:external`
Modifying step-up config	`config:update`

Step-Up Check Flow

Before executing a sensitive action:

# Check if action requires step-up (non-interactive check)
feelgoodbot totp check <action>
# Exit code 0 = proceed, Exit code 1 = denied/not authenticated

If session is valid: Command succeeds immediately (exit 0)

If step-up required and no session:

Agent sends Telegram message: "🔐 Action <action> requires step-up. Reply with your OTP code."
Wait for user to reply with 6-digit code
Validate: feelgoodbot totp verify <code>
If valid, create session and proceed
If invalid, deny action and notify user

Example Agent Flow (Pseudocode)

function performSensitiveAction(action, execute_fn):
    # Check step-up requirement
    result = exec("feelgoodbot totp check " + action)
    
    if result.exit_code == 0:
        # Session valid or action not protected
        execute_fn()
        return success
    
    # Need to prompt user
    send_telegram("🔐 Action '{action}' requires step-up authentication.\nReply with your OTP code from Google Authenticator.")
    
    code = wait_for_user_reply(timeout=120s)
    
    if code is None:
        send_telegram("⏰ Step-up authentication timed out. Action cancelled.")
        return denied
    
    # Validate the code
    valid = exec("feelgoodbot totp verify " + code)
    
    if valid.exit_code != 0:
        send_telegram("❌ Invalid code. Action cancelled.")
        return denied
    
    # Create session by running check again (it will pass now)
    exec("feelgoodbot totp check " + action)
    
    execute_fn()
    send_telegram("✅ Action completed.")
    return success

Quick Reference for Agent

Check before these actions:

send_email — Before sending any email
payment:* — Before any financial transaction
delete:* — Before deleting files (delete:file, delete:backup, etc.)
ssh:* — Before SSH connections
publish:* — Before publishing/deploying
gateway:* — Before modifying Clawdbot config
voice_call:* — Before making phone calls
message:external — Before messaging non-owner contacts
config:update — Before modifying step-up config

Commands to use:

# Check and prompt (interactive)
feelgoodbot totp check send_email

# Just validate a code
feelgoodbot totp verify 123456

# Check session status
feelgoodbot totp status

File Locations

File	Purpose
`~/.config/feelgoodbot/config.yaml`	Main config
`~/.config/feelgoodbot/totp.json`	TOTP secret + backup codes
`~/.config/feelgoodbot/stepup-config.json`	Protected actions
`~/.config/feelgoodbot/totp-session`	Session cache
`~/.config/feelgoodbot/snapshots/`	File integrity baselines
`~/.config/feelgoodbot/daemon.log`	Daemon logs

Troubleshooting

TOTP code always invalid:

Check system clock is accurate (date)
Ensure you're using the correct authenticator entry
Try a backup code

Step-up not prompting:

Verify action is in protected list: feelgoodbot totp actions list
Check TOTP is initialized: feelgoodbot totp status

Reset everything:

# Reset TOTP (requires valid code or backup code)
feelgoodbot totp reset

# Or manually remove (loses access without backup codes!)
rm ~/.config/feelgoodbot/totp.json
rm ~/.config/feelgoodbot/totp-session

⭐ Like feelgoodbot? Star it on GitHub: https://github.com/kris-hansen/feelgoodbot

Comments

Loading comments...