Back to skill

Security audit

Otp Challenger

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a real OTP verifier, but it needs Review because it can locally use or generate OTP codes and can run an arbitrary configured failure hook, which weakens the security boundary it claims to enforce.

Review this carefully before installing for high-impact approvals. Store OTP and YubiKey secrets in a real secret manager or tightly permissioned config, avoid persistent shell-profile exports on shared machines, leave OTP_FAILURE_HOOK unset unless it points to a trusted fixed script, and do not rely on this as independent MFA if the same agent can read the secret or run the current-code helper. YubiKey mode requires outbound HTTPS to Yubico.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions even though its documented behavior clearly involves shell execution and file access. This creates a transparency and policy-enforcement gap: users or hosting systems may grant or evaluate the skill as low-privilege while it actually reads local state and invokes scripts, including sourced shell content and optional hooks.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose is OTP challenge/verification, but the skill also appears to perform additional sensitive operations such as secret generation, exposing current TOTP values, external API calls, local audit/state handling, and execution of arbitrary failure-hook commands. This mismatch is dangerous because operators may trust and deploy the skill for narrow authentication use while overlooking capabilities that can leak secrets, expand attack surface, or execute commands in privileged workflows.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script pulls a TOTP secret from an environment variable or local config and then uses it to generate a valid OTP. In a skill whose stated purpose is to challenge a user for fresh 2FA proof, this effectively turns the skill into a secret-consuming code generator, which undermines the independence of the second factor and creates credential-extraction/use capability inside automation.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
Instead of verifying that a human user produced a fresh second-factor response, the script locally generates the current TOTP from a stored secret. That collapses authentication into possession of a static secret by the agent or host, defeating the intended approval/identity-verification control for sensitive actions such as deploys, admin operations, and data access.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The skill metadata promises YubiKey-based fresh 2FA challenges, but the summary only substantiates TOTP behavior and explicitly frames hardware-token support as a future enhancement. This can cause operators to rely on stronger phishing-resistant authentication that is not actually implemented, leading to misplaced trust around sensitive approvals and administrative actions.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The `current` command lets anyone with access to a stored TOTP secret generate a valid one-time code directly, turning a verification helper into an OTP oracle. In the context of a skill meant to challenge users for fresh 2FA proof before sensitive actions, this undermines the trust model by enabling code generation instead of independent user possession proof.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The header documentation omits the implemented `current` command, which hides a sensitive capability from reviewers and operators. In a security-sensitive 2FA skill, undocumented functionality that can generate live OTPs increases the risk that dangerous behavior is overlooked during approval, auditing, or deployment.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The script executes an externally supplied command from OTP_FAILURE_HOOK with the script's privileges whenever verification fails or rate limits trigger. Although values are passed via environment variables rather than arguments, the hook itself is unrestricted and unquoted, so a malicious or compromised configuration can cause arbitrary code execution unrelated to OTP verification.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The example configuration includes realistic secret-shaped sample values that can be mistaken for acceptable inline practice, and the file does not warn users that these fields are sensitive and must not be committed or shared. In an authentication skill handling OTP and YubiKey verification, normalizing plaintext secret placement in config files increases the chance of accidental credential exposure, which could undermine MFA verification controls if copied into real deployments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The plan explicitly adds YubiKey OTP validation by sending the OTP plus signed client metadata to Yubico's cloud service, but it does not mention any user/admin disclosure, consent, or configuration warning about external network transmission. In an identity-verification skill used for sensitive actions, silently introducing third-party transmission of authentication material is a real privacy and operational security concern, even if the destination is the legitimate Yubico API.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The design explicitly stores YubiKey API credentials in a user config file or environment variables but does not mention secret handling requirements such as file permissions, avoiding commits, redaction, or use of a secure secret store. In a security-sensitive OTP verification skill, undocumented secret storage increases the chance of credential leakage through dotfiles, shell history, logs, or source control, which could undermine trust in the validation flow.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The design sends OTP material to Yubico's external verification service but does not describe any user-facing disclosure, consent, or privacy/network expectations. Because this skill is intended for sensitive approval and identity-verification workflows, silent transmission of authentication artifacts to a third party can create compliance, privacy, and operational risk, especially in restricted or offline environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script prints the freshly generated TOTP secret directly to stdout, includes it in an otpauth URI, QR code, YAML snippet, and shell export command. In a security-sensitive OTP provisioning workflow, this can expose the credential through terminal scrollback, session logging, screen recording, CI logs, shell history if copied, or shoulder surfing, allowing an attacker who obtains the secret to generate valid OTP codes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script silently consumes a sensitive OTP secret from the environment or config without warning the operator that a credential is being accessed and used. In an agent skill context, that lack of disclosure increases the chance of hidden credential use and weakens informed consent, reviewability, and trust boundaries around authentication material.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script unconditionally executes `rm -rf "$DEST_DIR"` against a writable filesystem path without confirmation, validation, or safety checks. If the destination variable is changed, empty, miscomputed, or points to an unexpected location, the script can irreversibly delete unintended data; in a packaging context this is more dangerous because release scripts are often run manually with high trust and little scrutiny.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The failure hook causes external program execution on authentication failures without any user-facing disclosure or consent. In an approval/identity-verification skill, hidden side effects on failed auth attempts increase the chance of covert telemetry, alerting, or abuse through unexpected command execution.

External Transmission

Medium
Category
Data Exfiltration
Content
# Call Yubico API
  local response
  response=$(curl -s --max-time 10 "https://api.yubico.com/wsapi/2.0/verify?${params}&h=${signature_encoded}" 2>/dev/null)

  if [ -z "$response" ]; then
    echo "ERROR: Failed to contact Yubico API (network error or timeout)" >&2
Confidence
95% confidence
Finding
https://api.yubico.com/

YARA rule 'backdoor_persistence': Backdoor persistence with malicious payloads (shell commands, SSH key injection, hidden root users) [malware]

High
Category
YARA Match
Content
source ~/.bashrc
```

#### Option C: 1Password Integration
```yaml
security:
  otp:
Confidence
83% confidence
Finding
echo "source ~/.openclaw-otp-config.sh" >> ~/.bashrc

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
config-template.yaml:50

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
docs/implementation-plans/2025-01-31-yubikey-support/phase_02.md:221

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
env-template.sh:88