by 安全扫描
OpenClaw
安全
high confidenceThe skill's code, instructions, and requested resources are consistent with a local TOTP/2FA manager; it stores secrets locally in a JSON vault and contains no network or unexpected credential requests.
评估建议
This skill appears to do exactly what it says: a local TOTP manager with CLI and Tkinter GUI and no network activity. Before installing, consider: (1) Secrets are stored in a plaintext JSON vault (default ~/.config/otpforge/secrets.json). Although the file is created with mode 600, it is not encrypted — if you need stronger protection, store the file on encrypted disk or modify the code to use OS keyring/encryption. (2) The GUI copies codes to the clipboard, which other apps may read; be mindful...详细分析 ▾
✓ 用途与能力
Name/description (manage TOTP codes locally, CLI + optional Tkinter GUI) matches the shipped code (cli.py, core.py, gui.py). The skill does not request unrelated credentials or binaries.
✓ 指令范围
SKILL.md describes running the provided CLI and GUI and references an optional OTPFORGE_STORE env var and CLI --store flag; those behaviors are implemented in the code. The instructions do not ask the agent to read unrelated files, call external endpoints, or exfiltrate data.
✓ 安装机制
No install spec is provided (instruction-only). Source files are bundled with the skill; there is no download-from-URL, package install, or execution of fetched code. This is low-risk from an install perspective.
ℹ 凭证需求
The skill requests no environment credentials. It supports an optional OTPFORGE_STORE env var to override the local vault path (not a secret). However, the vault is a plaintext JSON file (written with mode 0o600) — secrets are stored unencrypted on disk. No env vars like API keys, tokens, or passwords are requested.
✓ 持久化与权限
The skill is not always-enabled, does not modify other skills or global agent config, and does not request elevated privileges. It writes a local file (the vault) in the user config directory, which is expected for this purpose.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/3/22
otpforge v0.1.0 - Initial release of otpforge for local TOTP/2FA management. - Command-line interface (CLI) supports adding, listing, removing accounts, and displaying TOTP codes. - Optional Tkinter GUI to view and refresh 2FA codes. - Vault stored as JSON (default: ~/.config/otpforge/secrets.json) with flexible override options. - Secrets can be securely added, updated, and masked when entered via GUI.
● 无害
安装命令 点击复制
官方npx clawhub@latest install otpforge
镜像加速npx clawhub@latest install otpforge --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制