← Back to Skills Marketplace
Feelgoodbot
by
kris-hansen
· GitHub ↗
· v1.1.0
1500
Downloads
1
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install feelgoodbot
Description
Set up feelgoodbot file integrity monitoring and TOTP step-up authentication for macOS. Use when the user wants to detect malware, monitor for system tampering, set up security alerts, or require OTP verification for sensitive agent actions.
README (SKILL.md)
feelgoodbot 🛡️
Pronounced "Feel good, bot"
macOS file integrity monitor + TOTP step-up authentication for AI agents.
GitHub: https://github.com/kris-hansen/feelgoodbot
⭐ If you find this useful, please star the repo! It helps others discover it.
Features
- File Integrity Monitoring — Detects tampering of system files
- TOTP Step-Up Auth — Requires OTP for sensitive agent actions
Part 1: File Integrity Monitoring
Requirements
- Go 1.21+ — Install with
brew install go - macOS — Uses launchd for daemon
Quick Setup
# Install via go install
go install github.com/kris-hansen/feelgoodbot/cmd/feelgoodbot@latest
# Initialize baseline snapshot
feelgoodbot init
# Install and start daemon
feelgoodbot daemon install
feelgoodbot daemon start
# Check it's running
feelgoodbot status
Clawdbot Integration (Alerts)
Enable webhooks:
clawdbot config set hooks.enabled true
clawdbot config set hooks.token "$(openssl rand -base64 32)"
clawdbot gateway restart
Configure ~/.config/feelgoodbot/config.yaml:
scan_interval: 5m
alerts:
clawdbot:
enabled: true
webhook: "http://127.0.0.1:18789/hooks/wake"
secret: "\x3Chooks.token from clawdbot config get hooks.token>"
local_notification: true
What It Monitors
- System binaries (
/usr/bin,/usr/sbin) - Launch daemons/agents (persistence mechanisms)
- SSH authorized_keys, sudoers, PAM
- Shell configs (
.zshrc,.bashrc) - Browser extensions
- AI agent configs (Claude, Cursor)
Part 2: TOTP Step-Up Authentication
Step-up auth requires the user to enter an OTP code from Google Authenticator before the agent can perform sensitive actions.
Setup (User runs in terminal)
# Initialize TOTP (shows QR code to scan)
feelgoodbot totp init --account "user@feelgoodbot"
# Verify it works
feelgoodbot totp verify
# Check status
feelgoodbot totp status
Configure Protected Actions
# List current protected actions
feelgoodbot totp actions list
# Add actions that require step-up
feelgoodbot totp actions add "send_email"
feelgoodbot totp actions add "payment:*"
feelgoodbot totp actions add "delete:*"
feelgoodbot totp actions add "ssh:*"
feelgoodbot totp actions add "publish:*"
feelgoodbot totp actions add "gateway:*"
feelgoodbot totp actions add "voice_call:*"
feelgoodbot totp actions add "message:external"
# Remove an action
feelgoodbot totp actions remove "send_email"
TOTP Commands
| Command | Description |
|---|---|
feelgoodbot totp init |
Set up TOTP with QR code |
feelgoodbot totp verify [code] |
Test a code |
feelgoodbot totp status |
Show TOTP status and session |
feelgoodbot totp check \x3Caction> |
Check if action needs step-up, prompt if needed |
feelgoodbot totp reset |
Remove TOTP config (requires code) |
feelgoodbot totp backup show |
Show remaining backup codes |
feelgoodbot totp backup regenerate |
Generate new backup codes |
feelgoodbot totp actions list |
List protected actions |
feelgoodbot totp actions add \x3Caction> |
Add protected action |
feelgoodbot totp actions remove \x3Caction> |
Remove protected action |
feelgoodbot totp respond \x3Ccode> |
Submit OTP response (for async flow) |
Session Caching
After successful authentication, a session is cached for 15 minutes (configurable). Subsequent actions within this window don't require re-authentication.
Agent Integration (IMPORTANT)
Before performing any sensitive action, the agent MUST check step-up requirements.
Action Mapping
Map your intended actions to step-up patterns:
| Agent Action | Step-Up Pattern |
|---|---|
| Sending email | send_email |
| Making payments | payment:* |
| Deleting files | delete:* |
| SSH/remote access | ssh:* |
| Publishing code | publish:* |
| Modifying Clawdbot config | gateway:* |
| Making phone calls | voice_call:* |
| Messaging external contacts | message:external |
| Modifying step-up config | config:update |
Step-Up Check Flow
Before executing a sensitive action:
# Check if action requires step-up (non-interactive check)
feelgoodbot totp check \x3Caction>
# Exit code 0 = proceed, Exit code 1 = denied/not authenticated
If session is valid: Command succeeds immediately (exit 0)
If step-up required and no session:
- Agent sends Telegram message: "🔐 Action
\x3Caction>requires step-up. Reply with your OTP code." - Wait for user to reply with 6-digit code
- Validate:
feelgoodbot totp verify \x3Ccode> - If valid, create session and proceed
- If invalid, deny action and notify user
Example Agent Flow (Pseudocode)
function performSensitiveAction(action, execute_fn):
# Check step-up requirement
result = exec("feelgoodbot totp check " + action)
if result.exit_code == 0:
# Session valid or action not protected
execute_fn()
return success
# Need to prompt user
send_telegram("🔐 Action '{action}' requires step-up authentication.\
Reply with your OTP code from Google Authenticator.")
code = wait_for_user_reply(timeout=120s)
if code is None:
send_telegram("⏰ Step-up authentication timed out. Action cancelled.")
return denied
# Validate the code
valid = exec("feelgoodbot totp verify " + code)
if valid.exit_code != 0:
send_telegram("❌ Invalid code. Action cancelled.")
return denied
# Create session by running check again (it will pass now)
exec("feelgoodbot totp check " + action)
execute_fn()
send_telegram("✅ Action completed.")
return success
Quick Reference for Agent
Check before these actions:
send_email— Before sending any emailpayment:*— Before any financial transactiondelete:*— Before deleting files (delete:file,delete:backup, etc.)ssh:*— Before SSH connectionspublish:*— Before publishing/deployinggateway:*— Before modifying Clawdbot configvoice_call:*— Before making phone callsmessage:external— Before messaging non-owner contactsconfig:update— Before modifying step-up config
Commands to use:
# Check and prompt (interactive)
feelgoodbot totp check send_email
# Just validate a code
feelgoodbot totp verify 123456
# Check session status
feelgoodbot totp status
File Locations
| File | Purpose |
|---|---|
~/.config/feelgoodbot/config.yaml |
Main config |
~/.config/feelgoodbot/totp.json |
TOTP secret + backup codes |
~/.config/feelgoodbot/stepup-config.json |
Protected actions |
~/.config/feelgoodbot/totp-session |
Session cache |
~/.config/feelgoodbot/snapshots/ |
File integrity baselines |
~/.config/feelgoodbot/daemon.log |
Daemon logs |
Troubleshooting
TOTP code always invalid:
- Check system clock is accurate (
date) - Ensure you're using the correct authenticator entry
- Try a backup code
Step-up not prompting:
- Verify action is in protected list:
feelgoodbot totp actions list - Check TOTP is initialized:
feelgoodbot totp status
Reset everything:
# Reset TOTP (requires valid code or backup code)
feelgoodbot totp reset
# Or manually remove (loses access without backup codes!)
rm ~/.config/feelgoodbot/totp.json
rm ~/.config/feelgoodbot/totp-session
⭐ Like feelgoodbot? Star it on GitHub: https://github.com/kris-hansen/feelgoodbot
Usage Guidance
Before installing: 1) Verify and inspect the upstream GitHub repo (github.com/kris-hansen/feelgoodbot) — a 'go install' will fetch and compile code from that source. 2) Understand required tools that the registry metadata omitted: you need Go, clawdbot CLI, and openssl available on PATH. 3) The setup script will enable and write Clawdbot webhook config and write ~/.config/feelgoodbot/config.yaml (it generates and stores a webhook secret). If you use Clawdbot, confirm you trust it and that enabling webhooks and restarting the gateway is acceptable. 4) Running the daemon may require elevated privileges to monitor system binaries; decide whether to run in a controlled environment (VM or test mac) first. 5) The agent flow suggests sending OTP prompts over Telegram (or another messaging channel) but no secure transport/config is provided here — ensure your messaging integration will not leak OTPs or secrets. 6) If you are not comfortable auditing the repository code yourself, treat this package cautiously: it executes third-party code at install time and implements persistent monitoring that will access potentially sensitive files (agent configs, system paths).
Capability Analysis
Type: OpenClaw Skill
Name: feelgoodbot
Version: 1.1.0
The skill bundle installs a file integrity monitoring and TOTP step-up authentication tool. The `scripts/setup.sh` uses `go install` to fetch and compile the tool from a public GitHub repository, which is a standard method for Go applications. It configures a `launchd` daemon for persistence, necessary for an FIM tool, and integrates with `clawdbot` via a local webhook (`http://127.0.0.1:18789/hooks/wake`) and a locally generated secret, indicating local communication for alerts. The `SKILL.md` provides instructions for the AI agent to implement a security control (TOTP step-up authentication) for sensitive actions, which is a defensive measure, not a prompt injection attack. All actions are aligned with the stated purpose of setting up a security tool, with no evidence of intentional malicious behavior like data exfiltration or unauthorized remote control.
Capability Assessment
Purpose & Capability
The SKILL.md and scripts implement a macOS file-integrity monitor and TOTP step-up flow (consistent with the description). However the manifest declares no required binaries or env vars while the instructions and setup.sh clearly require: go (to install the binary), clawdbot (CLI) for webhook integration, and openssl (for token generation). The omission of these required tools in the registry metadata is an incoherence a user should notice.
Instruction Scope
Runtime instructions focus on installing feelgoodbot, creating a baseline, and configuring TOTP. But the agent integration pseudocode instructs the agent to send a Telegram message and wait for a reply (no credentials/config for Telegram are provided) and relies on Clawdbot/webhooks for alerts. The SKILL.md also states it monitors 'AI agent configs (Claude, Cursor)', implying reading other agent config files. The guidance about inter-process messaging is underspecified and could result in accidental disclosure of OTPs or other secrets if the agent's messaging channel isn't secure.
Install Mechanism
There is no formal install spec in the registry, but the included scripts use 'go install github.com/kris-hansen/feelgoodbot/cmd/feelgoodbot@latest' which pulls code from GitHub. Using 'go install' from a GitHub module is a common pattern but still executes third-party code fetched at install time — moderate trust should be placed in the upstream repo. The script writes config files and installs a launchd daemon (persistence under macOS).
Credentials
The skill requests no environment variables in metadata, but the setup script reads/writes Clawdbot configuration (reads hooks.enabled and hooks.token, sets a token), writes ~/.config/feelgoodbot/config.yaml, and configures a local webhook secret. The README expects the agent to send messages (Telegram) and to handle OTPs. Requiring access to local agent configs and system binaries is expected for a FIM tool, but the lack of declared dependencies and credentials is inconsistent and could lead to unexpected privilege or data access.
Persistence & Privilege
The skill installs and starts a launchd daemon via feelgoodbot daemon install/start. Persistence is reasonable for a file-integrity monitor, but daemon installation may require elevated privileges and will run continuously. The skill does not set always:true and does not attempt to modify other skills' configs in the provided files.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install feelgoodbot - After installation, invoke the skill by name or use
/feelgoodbot - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Add TOTP step-up authentication for AI agent actions
v1.0.0
Initial release - macOS file integrity monitoring with Clawdbot alerts
Metadata
Frequently Asked Questions
What is Feelgoodbot?
Set up feelgoodbot file integrity monitoring and TOTP step-up authentication for macOS. Use when the user wants to detect malware, monitor for system tampering, set up security alerts, or require OTP verification for sensitive agent actions. It is an AI Agent Skill for Claude Code / OpenClaw, with 1500 downloads so far.
How do I install Feelgoodbot?
Run "/install feelgoodbot" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Feelgoodbot free?
Yes, Feelgoodbot is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Feelgoodbot support?
Feelgoodbot is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Feelgoodbot?
It is built and maintained by kris-hansen (@kris-hansen); the current version is v1.1.0.
More Skills