TOTP Verification Skill

Secure OTP verification using TOTP (Time-based One-Time Password) for sensitive operations.

Purpose

Protect access to:

• .env variables
• openclaw.json configuration
• Gateway restarts
• Backup deletions
• Critical configuration changes
• External API key operations

Setup

• Install dependencies:

npm install

• Generate secret and QR:

npm run generate

node scripts/generate-secret.js MyService myuser

• Send the QR image (qr.png) to the user, then delete it immediately:

rm qr.png

• Set TOTP_SECRET in .env:

TOTP_SECRET=YOUR_BASE32_SECRET_HERE

• Configure Google Authenticator/Authy with the generated secret or QR.

Usage

When a sensitive operation is requested:

• Agent: "Please provide your OTP"
• User: Provides 6-digit code from authenticator app
• Agent: Runs verification:

TOTP_SECRET=$TOTP_SECRET node scripts/verify.js 123456

• If valid (exit 0): Proceed with operation
• If invalid (exit 1): Deny access

Files

• scripts/generate-secret.js - Generate new TOTP secret and QR
• scripts/verify.js - Verify OTP tokens (window:2 = 1 minute tolerance)
• SKILL.md - This documentation

Security Notes

• Window: 2 (1 minute tolerance) for time drift
• Algorithm: SHA1
• Digits: 6
• Period: 30 seconds
• Secret: Base32 encoded, stored in .env as TOTP_SECRET

Integration

This skill should be integrated into the agent's decision flow when:

• User requests .env variables
• User requests openclaw.json contents
• User requests gateway restart
• User requests backup deletion
• Any operation marked as "critical"