Enable agents and skills to challenge users for fresh two-factor authentication proof (TOTP or YubiKey) before executing sensitive actions. Use this for identity verification in approval workflows - deploy commands, financial operations, data access, admin operations, and change control.
数据来源:ClawHub。 在 ClawSkills 查看
选择你使用的 Agent
方法一:命令行安装(推荐)
推荐(无需提前安装 clawhub)
npx clawhub@latest --dir ~/.claude/skills install otp-challenger或使用 clawhub CLI(需提前安装)
clawhub --dir ~/.claude/skills install otp-challenger⚠️ 需要 Node.js 18+,没有 Node?请使用下方方法二直接下载 ZIP。 安装 Node.js →
方法二:手动下载安装(无需 Node)
下载 ZIP,解压后将文件夹放到以下路径,重启 Agent 即可:
安装路径
~/.claude/skills/otp-challenger/💡解压后将文件夹放到上方路径,重启 Agent 即可生效
--- name: otp-challenger version: 1.0.3 description: Enable agents and skills to challenge users for fresh two-factor authentication proof (TOTP or YubiKey) before executing sensitive actions. Use this for identity verification in approval workflows - deploy commands, financial operations, data access, admin operations, and change control. metadata: {"openclaw": {"emoji": "🔐", "homepage": "https://github.com/ryancnelson/otp-challenger", "requires": {"bins": ["jq", "python3", "curl", "openssl", "base64"], "anyBins": ["oathtool", "node"]}, "envVars": {"required": [], "conditionallyRequired": [{"name": "OTP_SECRET", "condition": "TOTP mode", "description": "Base32 TOTP secret (16-128 chars)"}, {"name": "YUBIKEY_CLIENT_ID", "condition": "YubiKey mode", "description": "Yubico API client ID"}, {"name": "YUBIKEY_SECRET_KEY", "condition": "YubiKey mode", "description": "Yubico API secret key (base64)"}], "optional": [{"name": "OTP_INTERVAL_HOURS", "default": "24", "description": "Verification validity period"}, {"name": "OTP_MAX_FAILURES", "default": "3", "description": "Failed attempts before rate limiting"}, {"name": "OTP_FAILURE_HOOK", "description": "Script to execute on verification failures (privileged - runs arbitrary commands)"}]}, "privilegedFeatures": ["OTP_FAILURE_HOOK can execute arbitrary shell commands on failure events"], "install": [{"id": "jq", "kind": "brew", "formula": "jq", "bins": ["jq"], "label": "Install jq via Homebrew", "os": ["darwin", "linux"]}, {"id": "python3", "kind": "brew", "formula": "python3", "bins": ["python3"], "label": "Install Python 3 via Homebrew", "os": ["darwin", "linux"]}, {"id": "oathtool", "kind": "brew", "formula": "oath-toolkit", "bins": ["oathtool"], "label": "Install OATH Toolkit via Homebrew", "os": ["darwin", "linux"]}]}} ---
Challenge users for fresh two-factor authentication before sensitive actions.
Require OTP verification before:
kubectl apply, terraform apply)Verify a user's OTP code and record verification state.
./verify.sh <user_id> <code>Parameters:
user_id - Identifier for the user (e.g., email, username)code - Either 6-digit TOTP or 44-character YubiKey OTPExit codes:
0 - Verification successful1 - Invalid code or rate limited2 - Configuration error (missing secret, invalid format)Output on success:
✅ OTP verified for <user_id> (valid for 24 hours)
✅ YubiKey verified for <user_id> (valid for 24 hours)Output on failure:
❌ Invalid OTP code
❌ Too many attempts. Try again in X minutes.
❌ Invalid code format. Expected 6-digit TOTP or 44-character YubiKey OTP.Check if a user's verification is still valid.
./check-status.sh <user_id>Exit codes:
0 - User has valid (non-expired) verification1 - User not verified or verification expiredOutput:
✅ Valid for 23 more hours
⚠️ Expired 2 hours ago
❌ Never verifiedGenerate a new TOTP secret with QR code (requires qrencode to be installed).
./generate-secret.sh <account_name>#!/bin/bash
source ../otp/verify.sh
if ! verify_otp "$USER_ID" "$OTP_CODE"; then
echo "🔒 This action requires OTP verification"
exit 1
fi
# Proceed with sensitive actionRequired for TOTP:
OTP_SECRET - Base32 TOTP secretRequired for YubiKey:
YUBIKEY_CLIENT_ID - Yubico API client IDYUBIKEY_SECRET_KEY - Yubico API secret key (base64)Optional:
OTP_INTERVAL_HOURS - Verification expiry (default: 24)OTP_MAX_FAILURES - Failed attempts before rate limiting (default: 3)OTP_STATE_FILE - State file path (default: memory/otp-state.json)Configuration can be set via environment variables or in ~/.openclaw/config.yaml:
security:
otp:
secret: "BASE32_SECRET"
yubikey:
clientId: "12345"
secretKey: "base64secret"The script auto-detects code type:
123456) → TOTP validationcccccc...) → YubiKey validationModHex alphabet: cbdefghijklnrtuv
Verification state stored in memory/otp-state.json. Contains only timestamps, no secrets.
See README.md for:
安装 Otp Challenger 后,可以对 AI 说这些话来触发它
Help me get started with Otp Challenger
Explains what Otp Challenger does, walks through the setup, and runs a quick demo based on your current project
Use Otp Challenger to agents and skills to challenge users for fresh two-factor authentic...
Invokes Otp Challenger with the right parameters and returns the result directly in the conversation
What can I do with Otp Challenger in my finance & investment workflow?
Lists the top use cases for Otp Challenger, with example commands for each scenario
将技能文件夹放到 ~/.claude/skills/otp-challenger/ 目录(个人级,所有项目可用),或 .claude/skills/otp-challenger/(项目级)。重启 AI 客户端后,用 /otp-challenger 主动调用,或让 AI 根据上下文自动发现并使用。
Otp Challenger 支持 Claude、Cursor、OpenClaw,可与这些 AI 平台无缝集成,扩展其能力。
Otp Challenger 可免费安装使用。请查阅仓库了解许可证信息。
Enable agents and skills to challenge users for fresh two-factor authentication proof (TOTP or YubiKey) before executing sensitive actions. Use this for identity verification in approval workflows - deploy commands, financial operations, data access, admin operations, and change control.
Otp Challenger 属于「Finance & Investment」分类,该分类的技能帮助 AI 智能体在此领域执行专业任务。
Automate my finance & investment tasks using Otp Challenger
Identifies repetitive steps in your workflow and sets up Otp Challenger to handle them automatically