TOTP

TOTP-based OTP verification for sensitive operations (env vars, gateway restarts, backup deletions, critical config changes). Uses otplib with window:2 (1 minute tolerance).

Audits

Pass

ClawScanPass

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalPass

Multi-engine malware detections and file reputation.

Install

openclaw skills install totp

TOTP Verification Skill

Secure OTP verification using TOTP (Time-based One-Time Password) for sensitive operations.

Purpose

Protect access to:

.env variables
openclaw.json configuration
Gateway restarts
Backup deletions
Critical configuration changes
External API key operations

Setup

Install dependencies:
```
npm install
```

Generate secret and QR:

npm run generate

Optionally pass service and account name:

node scripts/generate-secret.js MyService myuser

Send the QR image (qr.png) to the user, then delete it immediately:
```
rm qr.png
```
Set TOTP_SECRET in .env:
```
TOTP_SECRET=YOUR_BASE32_SECRET_HERE
```
Configure Google Authenticator/Authy with the generated secret or QR.

Usage

When a sensitive operation is requested:

Agent: "Please provide your OTP"
User: Provides 6-digit code from authenticator app

Agent: Runs verification:

TOTP_SECRET=$TOTP_SECRET node scripts/verify.js 123456

If valid (exit 0): Proceed with operation
If invalid (exit 1): Deny access

Files

scripts/generate-secret.js - Generate new TOTP secret and QR
scripts/verify.js - Verify OTP tokens (window:2 = 1 minute tolerance)
SKILL.md - This documentation

Security Notes

Window: 2 (1 minute tolerance) for time drift
Algorithm: SHA1
Digits: 6
Period: 30 seconds
Secret: Base32 encoded, stored in .env as TOTP_SECRET

Integration

This skill should be integrated into the agent's decision flow when:

User requests .env variables
User requests openclaw.json contents
User requests gateway restart
User requests backup deletion
Any operation marked as "critical"