← 返回 Skills 市场
kris-hansen

Feelgoodbot

作者 kris-hansen · GitHub ↗ · v1.1.0
cross-platform ⚠ suspicious
1500
总下载
1
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install feelgoodbot
功能描述
Set up feelgoodbot file integrity monitoring and TOTP step-up authentication for macOS. Use when the user wants to detect malware, monitor for system tampering, set up security alerts, or require OTP verification for sensitive agent actions.
使用说明 (SKILL.md)

feelgoodbot 🛡️

Pronounced "Feel good, bot"

macOS file integrity monitor + TOTP step-up authentication for AI agents.

GitHub: https://github.com/kris-hansen/feelgoodbot

If you find this useful, please star the repo! It helps others discover it.

Features

  1. File Integrity Monitoring — Detects tampering of system files
  2. TOTP Step-Up Auth — Requires OTP for sensitive agent actions

Part 1: File Integrity Monitoring

Requirements

  • Go 1.21+ — Install with brew install go
  • macOS — Uses launchd for daemon

Quick Setup

# Install via go install
go install github.com/kris-hansen/feelgoodbot/cmd/feelgoodbot@latest

# Initialize baseline snapshot
feelgoodbot init

# Install and start daemon
feelgoodbot daemon install
feelgoodbot daemon start

# Check it's running
feelgoodbot status

Clawdbot Integration (Alerts)

Enable webhooks:

clawdbot config set hooks.enabled true
clawdbot config set hooks.token "$(openssl rand -base64 32)"
clawdbot gateway restart

Configure ~/.config/feelgoodbot/config.yaml:

scan_interval: 5m
alerts:
  clawdbot:
    enabled: true
    webhook: "http://127.0.0.1:18789/hooks/wake"
    secret: "\x3Chooks.token from clawdbot config get hooks.token>"
  local_notification: true

What It Monitors

  • System binaries (/usr/bin, /usr/sbin)
  • Launch daemons/agents (persistence mechanisms)
  • SSH authorized_keys, sudoers, PAM
  • Shell configs (.zshrc, .bashrc)
  • Browser extensions
  • AI agent configs (Claude, Cursor)

Part 2: TOTP Step-Up Authentication

Step-up auth requires the user to enter an OTP code from Google Authenticator before the agent can perform sensitive actions.

Setup (User runs in terminal)

# Initialize TOTP (shows QR code to scan)
feelgoodbot totp init --account "user@feelgoodbot"

# Verify it works
feelgoodbot totp verify

# Check status
feelgoodbot totp status

Configure Protected Actions

# List current protected actions
feelgoodbot totp actions list

# Add actions that require step-up
feelgoodbot totp actions add "send_email"
feelgoodbot totp actions add "payment:*"
feelgoodbot totp actions add "delete:*"
feelgoodbot totp actions add "ssh:*"
feelgoodbot totp actions add "publish:*"
feelgoodbot totp actions add "gateway:*"
feelgoodbot totp actions add "voice_call:*"
feelgoodbot totp actions add "message:external"

# Remove an action
feelgoodbot totp actions remove "send_email"

TOTP Commands

Command Description
feelgoodbot totp init Set up TOTP with QR code
feelgoodbot totp verify [code] Test a code
feelgoodbot totp status Show TOTP status and session
feelgoodbot totp check \x3Caction> Check if action needs step-up, prompt if needed
feelgoodbot totp reset Remove TOTP config (requires code)
feelgoodbot totp backup show Show remaining backup codes
feelgoodbot totp backup regenerate Generate new backup codes
feelgoodbot totp actions list List protected actions
feelgoodbot totp actions add \x3Caction> Add protected action
feelgoodbot totp actions remove \x3Caction> Remove protected action
feelgoodbot totp respond \x3Ccode> Submit OTP response (for async flow)

Session Caching

After successful authentication, a session is cached for 15 minutes (configurable). Subsequent actions within this window don't require re-authentication.

Agent Integration (IMPORTANT)

Before performing any sensitive action, the agent MUST check step-up requirements.

Action Mapping

Map your intended actions to step-up patterns:

Agent Action Step-Up Pattern
Sending email send_email
Making payments payment:*
Deleting files delete:*
SSH/remote access ssh:*
Publishing code publish:*
Modifying Clawdbot config gateway:*
Making phone calls voice_call:*
Messaging external contacts message:external
Modifying step-up config config:update

Step-Up Check Flow

Before executing a sensitive action:

# Check if action requires step-up (non-interactive check)
feelgoodbot totp check \x3Caction>
# Exit code 0 = proceed, Exit code 1 = denied/not authenticated

If session is valid: Command succeeds immediately (exit 0)

If step-up required and no session:

  1. Agent sends Telegram message: "🔐 Action \x3Caction> requires step-up. Reply with your OTP code."
  2. Wait for user to reply with 6-digit code
  3. Validate: feelgoodbot totp verify \x3Ccode>
  4. If valid, create session and proceed
  5. If invalid, deny action and notify user

Example Agent Flow (Pseudocode)

function performSensitiveAction(action, execute_fn):
    # Check step-up requirement
    result = exec("feelgoodbot totp check " + action)
    
    if result.exit_code == 0:
        # Session valid or action not protected
        execute_fn()
        return success
    
    # Need to prompt user
    send_telegram("🔐 Action '{action}' requires step-up authentication.\
Reply with your OTP code from Google Authenticator.")
    
    code = wait_for_user_reply(timeout=120s)
    
    if code is None:
        send_telegram("⏰ Step-up authentication timed out. Action cancelled.")
        return denied
    
    # Validate the code
    valid = exec("feelgoodbot totp verify " + code)
    
    if valid.exit_code != 0:
        send_telegram("❌ Invalid code. Action cancelled.")
        return denied
    
    # Create session by running check again (it will pass now)
    exec("feelgoodbot totp check " + action)
    
    execute_fn()
    send_telegram("✅ Action completed.")
    return success

Quick Reference for Agent

Check before these actions:

  • send_email — Before sending any email
  • payment:* — Before any financial transaction
  • delete:* — Before deleting files (delete:file, delete:backup, etc.)
  • ssh:* — Before SSH connections
  • publish:* — Before publishing/deploying
  • gateway:* — Before modifying Clawdbot config
  • voice_call:* — Before making phone calls
  • message:external — Before messaging non-owner contacts
  • config:update — Before modifying step-up config

Commands to use:

# Check and prompt (interactive)
feelgoodbot totp check send_email

# Just validate a code
feelgoodbot totp verify 123456

# Check session status
feelgoodbot totp status

File Locations

File Purpose
~/.config/feelgoodbot/config.yaml Main config
~/.config/feelgoodbot/totp.json TOTP secret + backup codes
~/.config/feelgoodbot/stepup-config.json Protected actions
~/.config/feelgoodbot/totp-session Session cache
~/.config/feelgoodbot/snapshots/ File integrity baselines
~/.config/feelgoodbot/daemon.log Daemon logs

Troubleshooting

TOTP code always invalid:

  • Check system clock is accurate (date)
  • Ensure you're using the correct authenticator entry
  • Try a backup code

Step-up not prompting:

  • Verify action is in protected list: feelgoodbot totp actions list
  • Check TOTP is initialized: feelgoodbot totp status

Reset everything:

# Reset TOTP (requires valid code or backup code)
feelgoodbot totp reset

# Or manually remove (loses access without backup codes!)
rm ~/.config/feelgoodbot/totp.json
rm ~/.config/feelgoodbot/totp-session

Like feelgoodbot? Star it on GitHub: https://github.com/kris-hansen/feelgoodbot

安全使用建议
Before installing: 1) Verify and inspect the upstream GitHub repo (github.com/kris-hansen/feelgoodbot) — a 'go install' will fetch and compile code from that source. 2) Understand required tools that the registry metadata omitted: you need Go, clawdbot CLI, and openssl available on PATH. 3) The setup script will enable and write Clawdbot webhook config and write ~/.config/feelgoodbot/config.yaml (it generates and stores a webhook secret). If you use Clawdbot, confirm you trust it and that enabling webhooks and restarting the gateway is acceptable. 4) Running the daemon may require elevated privileges to monitor system binaries; decide whether to run in a controlled environment (VM or test mac) first. 5) The agent flow suggests sending OTP prompts over Telegram (or another messaging channel) but no secure transport/config is provided here — ensure your messaging integration will not leak OTPs or secrets. 6) If you are not comfortable auditing the repository code yourself, treat this package cautiously: it executes third-party code at install time and implements persistent monitoring that will access potentially sensitive files (agent configs, system paths).
功能分析
Type: OpenClaw Skill Name: feelgoodbot Version: 1.1.0 The skill bundle installs a file integrity monitoring and TOTP step-up authentication tool. The `scripts/setup.sh` uses `go install` to fetch and compile the tool from a public GitHub repository, which is a standard method for Go applications. It configures a `launchd` daemon for persistence, necessary for an FIM tool, and integrates with `clawdbot` via a local webhook (`http://127.0.0.1:18789/hooks/wake`) and a locally generated secret, indicating local communication for alerts. The `SKILL.md` provides instructions for the AI agent to implement a security control (TOTP step-up authentication) for sensitive actions, which is a defensive measure, not a prompt injection attack. All actions are aligned with the stated purpose of setting up a security tool, with no evidence of intentional malicious behavior like data exfiltration or unauthorized remote control.
能力评估
Purpose & Capability
The SKILL.md and scripts implement a macOS file-integrity monitor and TOTP step-up flow (consistent with the description). However the manifest declares no required binaries or env vars while the instructions and setup.sh clearly require: go (to install the binary), clawdbot (CLI) for webhook integration, and openssl (for token generation). The omission of these required tools in the registry metadata is an incoherence a user should notice.
Instruction Scope
Runtime instructions focus on installing feelgoodbot, creating a baseline, and configuring TOTP. But the agent integration pseudocode instructs the agent to send a Telegram message and wait for a reply (no credentials/config for Telegram are provided) and relies on Clawdbot/webhooks for alerts. The SKILL.md also states it monitors 'AI agent configs (Claude, Cursor)', implying reading other agent config files. The guidance about inter-process messaging is underspecified and could result in accidental disclosure of OTPs or other secrets if the agent's messaging channel isn't secure.
Install Mechanism
There is no formal install spec in the registry, but the included scripts use 'go install github.com/kris-hansen/feelgoodbot/cmd/feelgoodbot@latest' which pulls code from GitHub. Using 'go install' from a GitHub module is a common pattern but still executes third-party code fetched at install time — moderate trust should be placed in the upstream repo. The script writes config files and installs a launchd daemon (persistence under macOS).
Credentials
The skill requests no environment variables in metadata, but the setup script reads/writes Clawdbot configuration (reads hooks.enabled and hooks.token, sets a token), writes ~/.config/feelgoodbot/config.yaml, and configures a local webhook secret. The README expects the agent to send messages (Telegram) and to handle OTPs. Requiring access to local agent configs and system binaries is expected for a FIM tool, but the lack of declared dependencies and credentials is inconsistent and could lead to unexpected privilege or data access.
Persistence & Privilege
The skill installs and starts a launchd daemon via feelgoodbot daemon install/start. Persistence is reasonable for a file-integrity monitor, but daemon installation may require elevated privileges and will run continuously. The skill does not set always:true and does not attempt to modify other skills' configs in the provided files.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install feelgoodbot
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /feelgoodbot 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
Add TOTP step-up authentication for AI agent actions
v1.0.0
Initial release - macOS file integrity monitoring with Clawdbot alerts
元数据
Slug feelgoodbot
版本 1.1.0
许可证
累计安装 0
当前安装数 0
历史版本数 2
常见问题

Feelgoodbot 是什么?

Set up feelgoodbot file integrity monitoring and TOTP step-up authentication for macOS. Use when the user wants to detect malware, monitor for system tampering, set up security alerts, or require OTP verification for sensitive agent actions. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1500 次。

如何安装 Feelgoodbot?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install feelgoodbot」即可一键安装,无需额外配置。

Feelgoodbot 是免费的吗?

是的,Feelgoodbot 完全免费(开源免费),可自由下载、安装和使用。

Feelgoodbot 支持哪些平台?

Feelgoodbot 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Feelgoodbot?

由 kris-hansen(@kris-hansen)开发并维护,当前版本 v1.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论