ClawHub

Otc Confirmation

v3.1.0

One-Time Confirmation code security mechanism for sensitive agent operations. Generates a cryptographically secure single-use code, delivers it via a private...

0· 323·1 current·1 all-time
byLewis Liu@lewis-404
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is an OTC/email confirmation system and it requires SMTP credentials and curl to send email — these requirements are expected and proportionate. The bundle contains both production-ready shell scripts (generate/send/verify) and Python reference implementations, which matches the README claim of two implementation paths. Declared primaryEnv (OTC_EMAIL_RECIPIENT) and required env vars align with the stated purpose.
Instruction Scope
The SKILL.md instructs the agent to call the included scripts and to keep the code in a permission-restricted state file; that is within scope. However, the document also contains examples and discussion of prompt-injection and 'system prompt override' patterns (pre-scan flagged these). Those appear to be explanatory examples in the threat model rather than instructions to override guards, but you should review the SKILL.md and scripts to confirm no lines attempt to change agent system prompts or perform out-of-band data collection. The skill asks that the agent 'not read the state file' — this is a policy constraint in docs and not an enforced OS-level guarantee; a compromised agent running as the same OS user could still access the file.
Install Mechanism
No remote install or arbitrary downloads — this is an instruction-only skill with bundled scripts and docs. That reduces supply-chain risk compared with fetching executables from unknown URLs. The only external binary dependency declared is curl, which is reasonable for SMTP-over-curl email sending.
Credentials
The skill requires SMTP credentials (OTC_SMTP_USER and OTC_SMTP_PASS) and an email recipient. Those are necessary for its stated function. However, SMTP credentials are sensitive; inspect scripts to ensure credentials are not exposed (for example, passed as literal args visible in process listings or written to logs). SKILL.md references additional optional env vars (SMTP_HOST/PORT, OTC_EMAIL_BACKEND, OTC_CUSTOM_EMAIL_SCRIPT) which are reasonable but should be audited when enabling backends or custom scripts.
Persistence & Privilege
The skill does not request always:true and is user-invocable. It does not claim to modify other skills or system-wide agent configuration. Its stated behavior (create per-user state dir and state file) is standard for this type of guard and scoped to the skill.
Scan Findings in Context
[ignore-previous-instructions] expected: Detected phrase(s) commonly associated with prompt-injection. In this package they appear in the threat-modeling/docs and examples (explaining prompt-injection attacks) rather than as an instruction for the skill to override system prompts. Still, review SKILL.md and examples to ensure none of the shipped scripts or templates instruct agents to ignore prior system prompts.
[system-prompt-override] expected: Detected 'system-prompt-override' pattern. This is expected in documentation that teaches about prompt-injection threats. Verify there are no embedded instructions in SKILL.md or templates that attempt to change/overwrite agent system prompts or perform silent prompt changes at runtime.
Assessment
Before installing or enabling this skill: 1) Manually inspect the three shell scripts (generate_code.sh, send_otc_email.sh/send_email_smtp.sh, verify_code.sh) to confirm they do not echo the code, do not log secrets, and that credentials are not passed on the command line in a way visible via ps. 2) Run the skill in a non-production sandbox first and test the state-file lifecycle and permission bits (state dir mode 700, state file mode 600). 3) Use a dedicated SMTP account with limited privileges and rotate its password if compromised. 4) If you enable a custom backend script, verify it is trusted and executable only by your user. 5) Be aware the 'agent must not read the state file' is a procedural control — a compromised agent running as the same OS user could read it; consider isolating the guard (different user, container, or stricter sandbox). 6) Note the SKILL.md includes prompt-injection discussion — review the docs and templates so you are comfortable there are no instructions that would weaken your agent's system prompt or security posture. If you want extra assurance, have a security-savvy reviewer audit the scripts for credential handling (curl usage, logging, process args) prior to production use.

Like a lobster shell, security has layers — review code before you run it.

agent-safetyvk97d9gbk32gmfj6gdp8k43884h82gtfcauditvk97d9gbk32gmfj6gdp8k43884h82gtfcconfirmationvk97d9gbk32gmfj6gdp8k43884h82gtfcdevopsvk97d9gbk32gmfj6gdp8k43884h82gtfclatestvk97d9gbk32gmfj6gdp8k43884h82gtfcotcvk97d9gbk32gmfj6gdp8k43884h82gtfcrbacvk97d9gbk32gmfj6gdp8k43884h82gtfcsecurityvk97d9gbk32gmfj6gdp8k43884h82gtfczero-knowledgevk97d9gbk32gmfj6gdp8k43884h82gtfc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Any bincurl
EnvOTC_EMAIL_RECIPIENT, OTC_SMTP_USER, OTC_SMTP_PASS
Primary envOTC_EMAIL_RECIPIENT

Comments