ClawHub

Otpforge

v0.1.0

Manage TOTP/2FA codes locally (add/list/remove accounts, display current codes, and optional Tkinter GUI). Use when a user asks to generate a TOTP code, stor...

0· 73·0 current·0 all-time
by@ordsbot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (manage TOTP codes locally, CLI + optional Tkinter GUI) matches the shipped code (cli.py, core.py, gui.py). The skill does not request unrelated credentials or binaries.
Instruction Scope
SKILL.md describes running the provided CLI and GUI and references an optional OTPFORGE_STORE env var and CLI --store flag; those behaviors are implemented in the code. The instructions do not ask the agent to read unrelated files, call external endpoints, or exfiltrate data.
Install Mechanism
No install spec is provided (instruction-only). Source files are bundled with the skill; there is no download-from-URL, package install, or execution of fetched code. This is low-risk from an install perspective.
Credentials
The skill requests no environment credentials. It supports an optional OTPFORGE_STORE env var to override the local vault path (not a secret). However, the vault is a plaintext JSON file (written with mode 0o600) — secrets are stored unencrypted on disk. No env vars like API keys, tokens, or passwords are requested.
Persistence & Privilege
The skill is not always-enabled, does not modify other skills or global agent config, and does not request elevated privileges. It writes a local file (the vault) in the user config directory, which is expected for this purpose.
Assessment
This skill appears to do exactly what it says: a local TOTP manager with CLI and Tkinter GUI and no network activity. Before installing, consider: (1) Secrets are stored in a plaintext JSON vault (default ~/.config/otpforge/secrets.json). Although the file is created with mode 600, it is not encrypted — if you need stronger protection, store the file on encrypted disk or modify the code to use OS keyring/encryption. (2) The GUI copies codes to the clipboard, which other apps may read; be mindful of clipboard exposure and clear it if needed. (3) You can override the vault location with OTPFORGE_STORE or --store for a one-off path. (4) Because this is bundled source code, you can (and should) review the files or run them in a sandbox before trusting with real 2FA secrets. There are no network calls or hidden endpoints in the code.

Like a lobster shell, security has layers — review code before you run it.

latestvk9717x3qr5a3sajzqyepb0z12183cyr6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments