TransportationDocumentedScanned

otp-challenger

Enable agents and skills to challenge users for fresh two-factor authentication proof (TOTP or YubiKey) before execut.

Share:

Installation

npx clawhub@latest install otp-challenger

View the full skill documentation and source below.

Documentation

OTP Identity Challenge Skill

Challenge users for fresh two-factor authentication before sensitive actions.

When to Use

Require OTP verification before:

  • Deploy commands (kubectl apply, terraform apply)

  • Financial operations (transfers, payment approvals)

  • Data access (PII exports, customer data)

  • Admin operations (user modifications, permission changes)


Scripts

verify.sh

Verify a user's OTP code and record verification state.

./verify.sh <user_id> <code>

Parameters:

  • user_id - Identifier for the user (e.g., email, username)

  • code - Either 6-digit TOTP or 44-character YubiKey OTP


Exit codes:
  • 0 - Verification successful

  • 1 - Invalid code or rate limited

  • 2 - Configuration error (missing secret, invalid format)


Output on success:
✅ OTP verified for <user_id> (valid for 24 hours)
✅ YubiKey verified for <user_id> (valid for 24 hours)

Output on failure:

❌ Invalid OTP code
❌ Too many attempts. Try again in X minutes.
❌ Invalid code format. Expected 6-digit TOTP or 44-character YubiKey OTP.

check-status.sh

Check if a user's verification is still valid.

./check-status.sh <user_id>

Exit codes:

  • 0 - User has valid (non-expired) verification

  • 1 - User not verified or verification expired


Output:
✅ Valid for 23 more hours
⚠️ Expired 2 hours ago
❌ Never verified

generate-secret.sh

Generate a new TOTP secret with QR code (requires qrencode to be installed).

./generate-secret.sh <account_name>

Usage Pattern

#!/bin/bash
source ../otp/verify.sh

if ! verify_otp "$USER_ID" "$OTP_CODE"; then
  echo "🔒 This action requires OTP verification"
  exit 1
fi

# Proceed with sensitive action

Configuration

Required for TOTP:

  • OTP_SECRET - Base32 TOTP secret


Required for YubiKey:
  • YUBIKEY_CLIENT_ID - Yubico API client ID

  • YUBIKEY_SECRET_KEY - Yubico API secret key (base64)


Optional:
  • OTP_INTERVAL_HOURS - Verification expiry (default: 24)

  • OTP_MAX_FAILURES - Failed attempts before rate limiting (default: 3)

  • OTP_STATE_FILE - State file path (default: memory/otp-state.json)


Configuration can be set via environment variables or in ~/.openclaw/config.yaml:

security:
  otp:
    secret: "BASE32_SECRET"
  yubikey:
    clientId: "12345"
    secretKey: "base64secret"

Code Format Detection

The script auto-detects code type:

  • 6 digits (123456) → TOTP validation

  • 44 ModHex characters (cccccc...) → YubiKey validation


ModHex alphabet: cbdefghijklnrtuv

State File

Verification state stored in memory/otp-state.json. Contains only timestamps, no secrets.

Human Documentation

See README.md for:

  • Installation instructions

  • Setup guides (TOTP and YubiKey)

  • Security considerations

  • Troubleshooting

  • Examples

Back to Skills Directory

Related Skills in Transportation

airfrance-afkl

Track Air France flights using the Air France–KLM Open Data APIs (Flight Status).

Docs

anachb

Austrian public transport (VOR AnachB) for all of Austria.

Docs

anyone-proxy

This skill enables IP address masking and accessing hidden services on the Anyone Network.

Docs

aviation-weather

Aviation weather: METAR, TAF, PIREPs for flight planning.

Docs

bahn

Deutsche Bahn train connections and travel planning.

Docs