✓ Verified 📡 Monitoring ✓ Enhanced Data

Feelgoodbot

Set up feelgoodbot file integrity monitoring for macOS.

Rating: 4.9 (390 reviews)
Downloads: 626 downloads
Version: 1.0.0

Overview

Set up feelgoodbot file integrity monitoring for macOS.

✨Key Features

Complete Documentation

View Source →

feelgoodbot 🛡️

Pronounced "Feel good, bot"

macOS file integrity monitor + TOTP step-up authentication for AI agents.

GitHub: https://github.com/kris-hansen/feelgoodbot

⭐ If you find this useful, please star the repo! It helps others discover it.

Features

File Integrity Monitoring — Detects tampering of system files
TOTP Step-Up Auth — Requires OTP for sensitive agent actions

Part 1: File Integrity Monitoring

Requirements

Go 1.21+ — Install with brew install go
macOS — Uses launchd for daemon

Quick Setup

bash

# Install via go install
go install github.com/kris-hansen/feelgoodbot/cmd/feelgoodbot@latest

# Initialize baseline snapshot
feelgoodbot init

# Install and start daemon
feelgoodbot daemon install
feelgoodbot daemon start

# Check it's running
feelgoodbot status

Clawdbot Integration (Alerts)

Enable webhooks:

bash

clawdbot config set hooks.enabled true
clawdbot config set hooks.token "$(openssl rand -base64 32)"
clawdbot gateway restart

Configure ~/.config/feelgoodbot/config.yaml:

yaml

scan_interval: 5m
alerts:
  clawdbot:
    enabled: true
    webhook: "http://127.0.0.1:18789/hooks/wake"
    secret: "<hooks.token from clawdbot config get hooks.token>"
  local_notification: true

What It Monitors

System binaries (/usr/bin, /usr/sbin)
Launch daemons/agents (persistence mechanisms)
SSH authorized_keys, sudoers, PAM
Shell configs (.zshrc, .bashrc)
Browser extensions
AI agent configs (Claude, Cursor)

Part 2: TOTP Step-Up Authentication

Step-up auth requires the user to enter an OTP code from Google Authenticator before the agent can perform sensitive actions.

Setup (User runs in terminal)

bash

# Initialize TOTP (shows QR code to scan)
feelgoodbot totp init --account "user@feelgoodbot"

# Verify it works
feelgoodbot totp verify

# Check status
feelgoodbot totp status

Configure Protected Actions

bash

# List current protected actions
feelgoodbot totp actions list

# Add actions that require step-up
feelgoodbot totp actions add "send_email"
feelgoodbot totp actions add "payment:*"
feelgoodbot totp actions add "delete:*"
feelgoodbot totp actions add "ssh:*"
feelgoodbot totp actions add "publish:*"
feelgoodbot totp actions add "gateway:*"
feelgoodbot totp actions add "voice_call:*"
feelgoodbot totp actions add "message:external"

# Remove an action
feelgoodbot totp actions remove "send_email"

TOTP Commands

Command	Description
feelgoodbot totp init	Set up TOTP with QR code
feelgoodbot totp verify [code]	Test a code
feelgoodbot totp status	Show TOTP status and session
feelgoodbot totp check	Check if action needs step-up, prompt if needed
feelgoodbot totp reset	Remove TOTP config (requires code)
feelgoodbot totp backup show	Show remaining backup codes
feelgoodbot totp backup regenerate	Generate new backup codes
feelgoodbot totp actions list	List protected actions
feelgoodbot totp actions add	Add protected action
feelgoodbot totp actions remove	Remove protected action
feelgoodbot totp respond	Submit OTP response (for async flow)

Session Caching

After successful authentication, a session is cached for 15 minutes (configurable). Subsequent actions within this window don't require re-authentication.

Agent Integration (IMPORTANT)

Before performing any sensitive action, the agent MUST check step-up requirements.

Action Mapping

Map your intended actions to step-up patterns:

Agent Action	Step-Up Pattern
Sending email	send_email
Making payments	payment:
Deleting files	delete:
SSH/remote access	ssh:
Publishing code	publish:
Modifying Clawdbot config	gateway:
Making phone calls	voice_call:
Messaging external contacts	message:external
Modifying step-up config	config:update

Step-Up Check Flow

Before executing a sensitive action:

bash

# Check if action requires step-up (non-interactive check)
feelgoodbot totp check <action>
# Exit code 0 = proceed, Exit code 1 = denied/not authenticated

If session is valid: Command succeeds immediately (exit 0)

If step-up required and no session:

Agent sends Telegram message: "🔐 Action requires step-up. Reply with your OTP code."
Wait for user to reply with 6-digit code
Validate: feelgoodbot totp verify


If valid, create session and proceed
If invalid, deny action and notify user


Example Agent Flow (Pseudocode)

      text
      function performSensitiveAction(action, execute_fn):
    # Check step-up requirement
    result = exec("feelgoodbot totp check " + action)
    
    if result.exit_code == 0:
        # Session valid or action not protected
        execute_fn()
        return success
    
    # Need to prompt user
    send_telegram("🔐 Action '{action}' requires step-up authentication.\nReply with your OTP code from Google Authenticator.")
    
    code = wait_for_user_reply(timeout=120s)
    
    if code is None:
        send_telegram("⏰ Step-up authentication timed out. Action cancelled.")
        return denied
    
    # Validate the code
    valid = exec("feelgoodbot totp verify " + code)
    
    if valid.exit_code != 0:
        send_telegram("❌ Invalid code. Action cancelled.")
        return denied
    
    # Create session by running check again (it will pass now)
    exec("feelgoodbot totp check " + action)
    
    execute_fn()
    send_telegram("✅ Action completed.")
    return success
    
Quick Reference for Agent
Check before these actions:
send_email — Before sending any email
payment:* — Before any financial transaction
delete:* — Before deleting files (delete:file, delete:backup, etc.)
ssh:* — Before SSH connections
publish:* — Before publishing/deploying
gateway:* — Before modifying Clawdbot config
voice_call:* — Before making phone calls
message:external — Before messaging non-owner contacts
config:update — Before modifying step-up config

Commands to use:

      bash
      # Check and prompt (interactive)
feelgoodbot totp check send_email

# Just validate a code
feelgoodbot totp verify 123456

# Check session status
feelgoodbot totp status
    
File Locations
File Purpose
~/.config/feelgoodbot/config.yaml Main config
~/.config/feelgoodbot/totp.json TOTP secret + backup codes
~/.config/feelgoodbot/stepup-config.json Protected actions
~/.config/feelgoodbot/totp-session Session cache
~/.config/feelgoodbot/snapshots/ File integrity baselines
~/.config/feelgoodbot/daemon.log Daemon logs
Troubleshooting
TOTP code always invalid:
Check system clock is accurate (date)
Ensure you're using the correct authenticator entry
Try a backup code

Step-up not prompting:
Verify action is in protected list: feelgoodbot totp actions list
Check TOTP is initialized: feelgoodbot totp status

Reset everything:

      bash
      # Reset TOTP (requires valid code or backup code)
feelgoodbot totp reset

# Or manually remove (loses access without backup codes!)
rm ~/.config/feelgoodbot/totp.json
rm ~/.config/feelgoodbot/totp-session
    
⭐ Like feelgoodbot? Star it on GitHub: https://github.com/kris-hansen/feelgoodbot

   Installation
   Terminal bash 
  
openclaw install feelgoodbot
    
    
Copied!
 
 
   
    💻Code Examples
feelgoodbot status
feelgoodbot-status.txt
### Clawdbot Integration (Alerts)

Enable webhooks:
local_notification: true
-localnotification-true.txt
### What It Monitors

- System binaries (`/usr/bin`, `/usr/sbin`)
- Launch daemons/agents (persistence mechanisms)
- SSH authorized_keys, sudoers, PAM
- Shell configs (`.zshrc`, `.bashrc`)
- Browser extensions
- AI agent configs (Claude, Cursor)

---

## Part 2: TOTP Step-Up Authentication

Step-up auth requires the user to enter an OTP code from Google Authenticator before the agent can perform sensitive actions.

### Setup (User runs in terminal)
feelgoodbot totp actions remove "send_email"
feelgoodbot-totp-actions-remove-sendemail.txt
### TOTP Commands

| Command | Description |
|---------|-------------|
| `feelgoodbot totp init` | Set up TOTP with QR code |
| `feelgoodbot totp verify [code]` | Test a code |
| `feelgoodbot totp status` | Show TOTP status and session |
| `feelgoodbot totp check <action>` | Check if action needs step-up, prompt if needed |
| `feelgoodbot totp reset` | Remove TOTP config (requires code) |
| `feelgoodbot totp backup show` | Show remaining backup codes |
| `feelgoodbot totp backup regenerate` | Generate new backup codes |
| `feelgoodbot totp actions list` | List protected actions |
| `feelgoodbot totp actions add <action>` | Add protected action |
| `feelgoodbot totp actions remove <action>` | Remove protected action |
| `feelgoodbot totp respond <code>` | Submit OTP response (for async flow) |

### Session Caching

After successful authentication, a session is cached for 15 minutes (configurable). Subsequent actions within this window don't require re-authentication.

---

## Agent Integration (IMPORTANT)

**Before performing any sensitive action, the agent MUST check step-up requirements.**

### Action Mapping

Map your intended actions to step-up patterns:

| Agent Action | Step-Up Pattern |
|--------------|-----------------|
| Sending email | `send_email` |
| Making payments | `payment:*` |
| Deleting files | `delete:*` |
| SSH/remote access | `ssh:*` |
| Publishing code | `publish:*` |
| Modifying Clawdbot config | `gateway:*` |
| Making phone calls | `voice_call:*` |
| Messaging external contacts | `message:external` |
| Modifying step-up config | `config:update` |

### Step-Up Check Flow

**Before executing a sensitive action:**
# Exit code 0 = proceed, Exit code 1 = denied/not authenticated
-exit-code-0--proceed-exit-code-1--deniednot-authenticated.txt
**If session is valid:** Command succeeds immediately (exit 0)

**If step-up required and no session:**
1. Agent sends Telegram message: "🔐 Action `<action>` requires step-up. Reply with your OTP code."
2. Wait for user to reply with 6-digit code
3. Validate: `feelgoodbot totp verify <code>`
4. If valid, create session and proceed
5. If invalid, deny action and notify user

### Example Agent Flow (Pseudocode)
return success
-return-success.txt
### Quick Reference for Agent

**Check before these actions:**
- `send_email` — Before sending any email
- `payment:*` — Before any financial transaction
- `delete:*` — Before deleting files (`delete:file`, `delete:backup`, etc.)
- `ssh:*` — Before SSH connections
- `publish:*` — Before publishing/deploying
- `gateway:*` — Before modifying Clawdbot config
- `voice_call:*` — Before making phone calls
- `message:external` — Before messaging non-owner contacts
- `config:update` — Before modifying step-up config

**Commands to use:**
feelgoodbot totp status
feelgoodbot-totp-status.txt
---

## File Locations

| File | Purpose |
|------|---------|
| `~/.config/feelgoodbot/config.yaml` | Main config |
| `~/.config/feelgoodbot/totp.json` | TOTP secret + backup codes |
| `~/.config/feelgoodbot/stepup-config.json` | Protected actions |
| `~/.config/feelgoodbot/totp-session` | Session cache |
| `~/.config/feelgoodbot/snapshots/` | File integrity baselines |
| `~/.config/feelgoodbot/daemon.log` | Daemon logs |

---

## Troubleshooting

**TOTP code always invalid:**
- Check system clock is accurate (`date`)
- Ensure you're using the correct authenticator entry
- Try a backup code

**Step-up not prompting:**
- Verify action is in protected list: `feelgoodbot totp actions list`
- Check TOTP is initialized: `feelgoodbot totp status`

**Reset everything:**
example.sh
# Install via go install
go install github.com/kris-hansen/feelgoodbot/cmd/feelgoodbot@latest

# Initialize baseline snapshot
feelgoodbot init

# Install and start daemon
feelgoodbot daemon install
feelgoodbot daemon start

# Check it's running
feelgoodbot status
example.sh
clawdbot config set hooks.enabled true
clawdbot config set hooks.token "$(openssl rand -base64 32)"
clawdbot gateway restart
example.yml
scan_interval: 5m
alerts:
  clawdbot:
    enabled: true
    webhook: "http://127.0.0.1:18789/hooks/wake"
    secret: "<hooks.token from clawdbot config get hooks.token>"
  local_notification: true
example.sh
# Initialize TOTP (shows QR code to scan)
feelgoodbot totp init --account "user@feelgoodbot"

# Verify it works
feelgoodbot totp verify

# Check status
feelgoodbot totp status
           Tags
  
#security_and-passwords 
#bot 
#monitoring

     Quick Info
   Category Monitoring 
  Model Claude 3.5 
  Complexity One-Click 
  Author kris-hansen 
  Last Updated 3/10/2026 
 
 
     🚀
  Optimized for
 Claude 3.5
 
 
  🧠    
 
   Ready to Install?
 
Get started with this skill in seconds
  openclaw install feelgoodbot 
 
   Resources
    📂
  OpenClaw Skills
 View on OpenClaw GitHub
 
 
 →

    Related Skills
       
✓ Verified
  💻 Development  
  4claw 
 
 
   4claw — a moderated imageboard for AI agents. 
    🧠  Claude-Ready     
#ai_and-llms  
)}
    ★ 4.4 (118) 
  ↓ 4,990 
 
 
v1.0.0 
 
       
✓ Verified
  💻 Development  
  Aap Passport 
 
 
   Agent Attestation Protocol - The Reverse Turing Test. 
    🧠  Claude-Ready     
#ai_and-llms  
)}
    ★ 4.3 (89) 
  ↓ 4,621 
 
 
v1.0.0 
 
       
✓ Verified
  💻 Development  
  Adaptive Suite 
 
 
   A continuously adaptive skill suite that empowers Clawdbot. 
    🧠  Claude-Ready     
#ai_and-llms 
#bot  
)}
    ★ 4.7 (88) 
  ↓ 1,625 
 
 
v1.0.0 
 
       
✓ Verified
  💻 Development  
  Adversarial Prompting 
 
 
   Adversarial analysis to critique, fix. 
    🧠  Claude-Ready     
#ai_and-llms  
)}
    ★ 4.6 (372) 
  ↓ 28,222 
 
 
v1.0.0

File	Purpose
~/.config/feelgoodbot/config.yaml	Main config
~/.config/feelgoodbot/totp.json	TOTP secret + backup codes
~/.config/feelgoodbot/stepup-config.json	Protected actions
~/.config/feelgoodbot/totp-session	Session cache
~/.config/feelgoodbot/snapshots/	File integrity baselines
~/.config/feelgoodbot/daemon.log	Daemon logs