ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TouchBridge — Phone Biometric Auth for Mac

v1.0.0

Authenticate sudo and macOS system prompts using your phone's biometric (Face ID/fingerprint) instead of typing passwords. Perfect for Mac Mini, Mac Studio,...

0· 91·0 current·0 all-time
by@hmakt99

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for hmakt99/touchbridge.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "TouchBridge — Phone Biometric Auth for Mac" (hmakt99/touchbridge) from ClawHub.
Skill page: https://clawhub.ai/hmakt99/touchbridge
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: touchbridged, touchbridge-test
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install touchbridge

ClawHub CLI

Package manager switcher

npx clawhub@latest install touchbridge
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, required binaries (touchbridged, touchbridge-test), and the provided GitHub .pkg URL align with the stated goal of enabling phone biometric auth for macOS prompts.
Instruction Scope
SKILL.md instructs running the daemon, installing a PAM module, checking daemon sockets, using a simulator (auto-approve), and a web mode that displays a URL for phone approval. These are within the feature scope, but they explicitly direct actions that affect system authentication and can broaden the attack surface (simulator auto-approves; web mode may expose an approval URL).
Install Mechanism
The install step is a downloadable .pkg hosted on GitHub Releases — a common distribution channel but still a remote installer executed on the machine. No checksum/signature is provided in the instructions; building from source is offered as an alternative. Download-and-run installers carry execution risk and should be verified before use.
Credentials
The skill requests no environment variables or unrelated credentials; the requested access (binaries and potential sudo use during install) is proportionate to the stated functionality.
!
Persistence & Privilege
The tool modifies system authentication (PAM), installs a daemon, and requires elevated privileges for installation/uninstallation — these are powerful capabilities. The skill is not 'always:true', but the required privileged changes mean an installer or scripts executed via the agent would have a high blast radius and must be trusted and audited.
What to consider before installing
This skill appears to do what it says, but it modifies macOS authentication (PAM) and installs a privileged daemon — high-risk actions. Before installing: (1) inspect the installer and install scripts (scripts/install.sh) or build from source yourself; (2) verify the .pkg via checksum or signed release from the upstream repo; (3) do not run the simulator (--simulator) on a production machine (it auto-approves sudo); (4) be cautious with --web mode (exposed URLs can be clicked by unintended parties if network-accessible); (5) back up /etc/pam.d/ and test in a VM or disposable machine first; (6) prefer installing only after verifying the GitHub project, maintainer reputation, and that the installer creates expected backups and restores on uninstall. If you are not comfortable auditing install scripts or running privileged installers, avoid installing this skill.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔐 Clawdis
Binstouchbridged, touchbridge-test
biometricvk977p4yc0smq20n2nc2gz1bsxd83syp1latestvk977p4yc0smq20n2nc2gz1bsxd83syp1macosvk977p4yc0smq20n2nc2gz1bsxd83syp1pamvk977p4yc0smq20n2nc2gz1bsxd83syp1securityvk977p4yc0smq20n2nc2gz1bsxd83syp1sudovk977p4yc0smq20n2nc2gz1bsxd83syp1touch-idvk977p4yc0smq20n2nc2gz1bsxd83syp1
91downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@hmakt99
biometriclatestmacospamsecuritysudotouch-id
Download

TouchBridge

Use your phone's fingerprint or Face ID to authenticate sudo, screensaver unlock, and other macOS auth prompts — instead of typing your password.

Free, open source alternative to Apple's $199 Touch ID keyboard. Works with iPhone, Android, Apple Watch, Wear OS, or any browser.

References

  • references/setup.md (install + pairing + testing)

Workflow

  1. Check if TouchBridge is installed: which touchbridged.
  2. If not installed: download and run the .pkg installer from the GitHub release.
  3. Check daemon status: ls ~/Library/Application\ Support/TouchBridge/daemon.sock.
  4. If daemon not running: touchbridged serve --simulator (for testing) or touchbridged serve --web (for phone auth).

For sudo commands

TouchBridge automatically handles sudo authentication when installed. The PAM module intercepts the auth request and routes it to the daemon, which prompts the user's phone.

If the phone is unreachable, sudo falls through to the normal password prompt — the user is never locked out.

Modes

  • touchbridged serve --simulator — auto-approve (testing, no phone needed)
  • touchbridged serve --web — any phone via browser URL (no app install)
  • touchbridged serve --interactive — approve/deny in terminal
  • touchbridged serve — production mode with paired iPhone/Android via BLE

Configuration

touchbridge-test config show              # view policy
touchbridge-test config set --timeout 20  # change auth timeout
touchbridge-test logs                     # view recent auth events
touchbridge-test list-devices             # show paired devices

Guardrails

  • Never type or log the user's macOS password — TouchBridge replaces password entry entirely.
  • If touchbridged is not running, sudo falls through to password — never block the user.
  • The simulator mode (--simulator) is for testing only — remind the user to switch to phone auth for real security.
  • Never modify /etc/pam.d/sudo directly — use the install script which creates backups.

Comments

Loading comments...