OTPly
PassAudited by ClawScan on May 10, 2026.
Overview
OTPly appears to be a coherent instruction-only API skill for an email OTP service, but users should treat it as security-sensitive because it handles OTPs, account credentials, API secrets, and email delivery.
This skill looks purpose-aligned and instruction-only, with no local code execution shown. Before installing or using it, confirm you trust the OTPLY provider, understand where OTP and credential data is sent, and require explicit approval for sending OTPs or using API secrets.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If given credentials, the agent could send OTP emails through the service, potentially using paid credits or contacting unintended recipients.
The skill exposes an action that sends OTP emails, which is central to the service but can affect recipients and consume quota if used without clear user intent.
POST /api/v1/send-otp ... "email": "user@example.com", "purpose": "login_verification", "template": "default", "expiry_minutes": 15
Use this only for explicit OTP workflows and confirm recipient, purpose, template, and volume before sending.
OTPLY account passwords, tokens, API keys, and API secrets could grant access to send and verify OTPs or view usage.
The API intentionally handles account login and returns API credentials, which is expected for an OTP provider but should be treated as sensitive delegated authority.
"/api/v1/login" ... "description": "Login and get API credentials" ... "token" ... "api_key" ... "api_secret"
Provide only OTPLY-specific credentials, avoid reusing passwords, store API secrets securely, and rotate them if exposed in chat or logs.
It may be harder to verify who operates the OTP service, what endpoint should be trusted, or what security/privacy commitments apply.
The skill is for a security-sensitive OTP service, but the supplied metadata does not provide an independently verifiable source or homepage.
Source: unknown; Homepage: none
Verify the provider, API base URL, privacy policy, retention practices, and billing terms before using this for production authentication flows.
Email addresses, OTP purposes, and OTP codes may be processed by the OTPLY service and could reveal authentication activity.
The documented verification flow sends recipient email addresses and OTP codes to the external provider; this is expected, but the data is sensitive.
POST /api/v1/verify-otp ... "email": "user@example.com", "otp": "654321", "purpose": "login_verification"
Use the service only if its privacy and retention practices are acceptable, and avoid sending OTPs or emails unrelated to the intended verification workflow.