Feelgoodbot
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears consistent with its security-monitoring purpose, but it installs an unpinned background daemon and handles OTP/gateway secrets in ways users should explicitly trust and review.
Before installing, make sure you trust the upstream feelgoodbot project, understand that it will run a persistent macOS daemon, and review the Clawdbot webhook and OTP handling flow. Pinning the Go package version and using a trusted, non-logged OTP channel would reduce risk.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You would be trusting the current upstream GitHub code at install time, not just the artifacts shown here.
The skill installs upstream code at the moving @latest version rather than a pinned release, so the installed daemon may differ from what was reviewed.
go install github.com/kris-hansen/feelgoodbot/cmd/feelgoodbot@latest
Review the upstream repository and consider pinning a specific version before installation.
The monitor will keep running in the background and can generate alerts after installation.
The setup script installs and starts a persistent background daemon. This is expected for file integrity monitoring, but it continues operating after setup.
feelgoodbot daemon install 2>/dev/null || true feelgoodbot daemon stop 2>/dev/null || true feelgoodbot daemon start
Install only if you want persistent monitoring, and confirm how to stop or uninstall the daemon.
Running setup can change your Clawdbot webhook configuration and store a local alerting secret in feelgoodbot config.
The script changes Clawdbot gateway settings and creates or reads a hooks token used as a shared secret for alerts.
clawdbot config set hooks.enabled true TOKEN=$(openssl rand -base64 32) clawdbot config set hooks.token "$TOKEN" clawdbot gateway restart
Review the Clawdbot configuration changes before running setup, especially on systems with existing gateway policies.
Your one-time authentication code may pass through the agent and messaging channel, and a successful check creates a cached session for later actions.
The documented async flow has the user send an OTP code through Telegram to the agent, which then validates it locally.
Agent sends Telegram message: "🔐 Action `<action>` requires step-up. Reply with your OTP code."
Use only a trusted bot/channel, bind replies to the intended user and action, avoid logging OTPs, and prefer local secure prompts where possible.
A naive integration could mishandle unexpected input from the messaging channel.
The pseudocode concatenates user-provided OTP text into a shell command. It is example code, not runnable source here, but literal implementations should avoid shell injection risk.
valid = exec("feelgoodbot totp verify " + code)Validate OTPs as exactly six digits and call commands with structured argv arguments rather than shell string concatenation.