← Back to Skills Marketplace

TOTP

Name: TOTP
Author: diegofcornejo

by Diego Cornejo · GitHub ↗ · v1.0.2

cross-platform ✓ Security Clean

508

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install totp

Description

TOTP-based OTP verification for sensitive operations (env vars, gateway restarts, backup deletions, critical config changes). Uses otplib with window:2 (1 mi...

Usage Guidance

This skill appears to do what it says, but consider these precautions before installing: (1) Keep the TOTP secret private — avoid committing .env to source control and prefer a secure secret store if available. (2) Run npm install in a controlled environment and review or vendor the two dependencies (@otplib/preset-default and qrcode) or use a lockfile to prevent supply-chain surprises. (3) After generating the QR, ensure qr.png is actually deleted and the secret rotated if it may have been exposed. (4) Confirm the agent's integration only prompts for the OTP and does not transmit the TOTP_SECRET or .env contents to external services. (5) If you need higher assurance, inspect dependency code or run the scripts locally yourself to verify behavior before granting the agent the ability to invoke them.

Capability Analysis

Type: OpenClaw Skill Name: totp Version: 1.0.2 The OpenClaw TOTP skill is designed for secure OTP verification, using standard libraries like `@otplib` and `qrcode`. The `SKILL.md` instructions are clear, align with the stated security purpose, and include a critical step to immediately delete the generated `qr.png` file, which contains the TOTP secret, after it's sent to the user. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the agent beyond its stated security function.

Capability Assessment

✓ Purpose & Capability

The name/description (TOTP verification for gating sensitive operations) matches the requested resources: node binary and a single TOTP_SECRET. The scripts generate and verify TOTP secrets and tokens, which is exactly what the skill claims to do.

✓ Instruction Scope

SKILL.md limits runtime actions to installing dependencies, generating a QR/secret, prompting for a 6-digit OTP, and running the local verify script. It does not instruct reading unrelated files or transmitting secrets to external endpoints. The instructions to delete qr.png and store TOTP_SECRET in .env are explicit and scoped to the secret onboarding flow.

ℹ Install Mechanism

No custom download/install script; runtime expects npm install which fetches two npm packages (@otplib/preset-default, qrcode). Using npm is expected for a Node skill but is a moderate-risk vector compared to instruction-only skills — however package names and pinned versions are provided and there are no obscure URLs or archive extraction steps.

✓ Credentials

Only the TOTP_SECRET env var is required and declared as the primary credential. That single secret is necessary and proportionate for TOTP verification. The skill does not request unrelated credentials or config paths.

✓ Persistence & Privilege

always is false and the skill contains no instructions to modify other skills or system-wide settings. It does not request persistent elevated privileges beyond the normal ability to run its verification script.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install totp
After installation, invoke the skill by name or use /totp
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.2

- Setup instructions now include explicitly sending the QR image (qr.png) to the user and deleting it immediately for better security. - Google Authenticator/Authy configuration step updated to allow using either the generated secret or QR image.

v1.0.1

- No changes detected in this version. - The skill version remains functionally identical to the previous release.

v1.0.0

- Initial release of the TOTP skill for OTP verification during sensitive operations. - Adds secure TOTP (Time-based One-Time Password) checks for actions like environment variable access, configuration changes, gateway restarts, and backup deletions. - Setup includes secret generation, QR code for authenticator apps, and environment variable configuration. - Includes scripts to generate secrets and verify OTP codes with a 1-minute time window. - Documentation provided in SKILL.md for setup, usage, and integration steps.

Metadata

Slug totp

Version 1.0.2

License —

All-time Installs 1

Active Installs 1

Total Versions 3

Frequently Asked Questions

What is TOTP?

TOTP-based OTP verification for sensitive operations (env vars, gateway restarts, backup deletions, critical config changes). Uses otplib with window:2 (1 mi... It is an AI Agent Skill for Claude Code / OpenClaw, with 508 downloads so far.

How do I install TOTP?

Run "/install totp" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is TOTP free?

Yes, TOTP is completely free (open-source). You can download, install and use it at no cost.

Which platforms does TOTP support?

TOTP is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created TOTP?

It is built and maintained by Diego Cornejo (@diegofcornejo); the current version is v1.0.2.

More Skills