ClawHub

Auto Authenticator Local

ReviewAudited by ClawScan on May 10, 2026.

Overview

This is a coherent local TOTP helper, but its setup workflow can expose MFA seeds by putting them on the command line.

Only install this if you understand that it stores and generates MFA codes locally. Avoid using real TOTP seeds with the current command-line examples; ask for or implement a secure prompt/stdin-based seed entry flow, and review the GitHub installer before running it.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium
#ASI03: Identity and Privilege Abuse
What this means

A leaked TOTP seed can let someone generate future MFA codes for that account, reducing the protection MFA is meant to provide.

Why it was flagged

The documented workflow places the TOTP seed, which is an account authentication secret, directly on the command line. Command-line arguments may be saved in shell history, visible to local process inspection, or retained in agent/chat logs, and the artifacts do not provide a safer stdin or interactive secret-entry path.

Skill content
python3 scripts/totp_add.py --alias github-work --issuer GitHub --account lucas@example.com --seed JBSWY3DPEHPK3PXP
Recommendation

Do not paste real TOTP seeds into chat or shell commands for this version. Prefer a workflow that accepts the seed through a secure prompt/stdin, or add that capability before using it with real accounts.

Low
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

If the remote repository or dependency supply chain changes or is compromised, installation could run code different from what was reviewed here.

Why it was flagged

The installer fetches code from GitHub and installs Python dependencies. This is disclosed and user-directed, but it means the code run during installation depends on the remote repository and package resolution rather than only the reviewed artifact bundle.

Skill content
REPO_URL="https://github.com/LucasZH7/auto-authenticator-local.git" ... git clone "$REPO_URL" "$TARGET_DIR" ... python3 -m pip install -r "$TARGET_DIR/requirements.txt"
Recommendation

Review the repository and installer before running it, prefer pinned releases or commit hashes, and install dependencies in an isolated environment.