ClawHub

Auto Authenticator Local

v1.0.0

Use when the user wants a local-first TOTP helper for accounts they personally own or are explicitly authorized to access. This skill stores TOTP seeds in sy...

0· 164·0 current·0 all-time
by@lucaszh7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: scripts store/fetch/delete TOTP seeds using keyring or macOS security CLI and generate codes. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md limits actions to adding/generating/deleting a single alias and warns against exfiltration or stealth generation. The bundled scripts print codes to stdout (expected), which requires operator caution so codes are not inadvertently recorded in chat transcripts or logs.
Install Mechanism
There is no packaged install spec inside the skill; the provided install.sh clones a GitHub repository and runs pip install -r requirements.txt (keyring). Using GitHub is normal, but the README suggests curl | bash for one-line install — this invokes remote code and should be used only after verifying the repository and commit.
Credentials
No environment variables, keys, or unrelated credentials are requested. The only external dependency is the 'keyring' Python package to access OS-native secure storage, which is proportional to the stated purpose.
Persistence & Privilege
Skill is not always-enabled, and agents/openai.yaml explicitly disables implicit invocation. The skill does not request system-wide config changes or access to other skills' credentials.
Assessment
This skill appears to do what it says: local-only TOTP storage and on-demand code generation using your OS keyring. Before installing, verify the GitHub repository and commit you are installing, avoid piping unknown install scripts directly into bash, and consider running the scripts locally (not through a shared agent) the first time to confirm behavior. Be careful not to paste generated codes into chat transcripts or logs if those are stored or reviewed. If you share the machine, ensure your OS credential store is locked and you understand which keyring backend will be used (keyring vs macOS security CLI).

Like a lobster shell, security has layers — review code before you run it.

authenticatorvk9721yq515t3fxkrynmmfbn05h82s95blatestvk9721yq515t3fxkrynmmfbn05h82s95blocal-firstvk9721yq515t3fxkrynmmfbn05h82s95bprivacyvk9721yq515t3fxkrynmmfbn05h82s95bsecurityvk9721yq515t3fxkrynmmfbn05h82s95btotpvk9721yq515t3fxkrynmmfbn05h82s95b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments