Enable agents and skills to challenge users for fresh two-factor authentication proof before executing sensitive actions. Use this for identity verification in approval workflows - deploy commands, financial operations, data access, admin operations, and change control.
Purpose: Enable agents and skills to challenge users for fresh two-factor authentication proof before executing sensitive actions.
This skill provides identity verification for approval workflows. When your agent needs to execute a command with change-control concerns (deploying code, modifying infrastructure, accessing sensitive data, financial transactions), it can challenge the user to prove their identity with a time-based one-time password (TOTP).
This is not about securing your chat channel—it's about verifying identity before specific actions.
kubectl apply or terraform applyverify.sh with the user's ID and their 6-digit codecheck-status.sh to see if verification is still freshclawhub install otp
cd ~/.openclaw/skills
git clone https://github.com/ryancnelson/otp-skill.git otp
After installation, verify required dependencies:
# Check what's available
which jq && echo "✅ jq available" || echo "❌ Install: brew install jq"
which python3 && echo "✅ python3 available" || echo "❌ Install: brew install python3"
which oathtool && echo "✅ oathtool available" || echo "❌ Install: brew install oath-toolkit"
Note: oathtool is optional - the skill includes a built-in TOTP generator, but oathtool provides additional validation.
Use the included secret generator:
cd ~/.openclaw/skills/otp
./generate-secret.sh "[email protected]"
This will display:
Alternative: Use any other TOTP secret generator. You need a base32-encoded secret.
Add the secret to your authenticator app:
Option A: In your OpenClaw config
# ~/.openclaw/config.yaml