feelgoodbot
Security & Passwords
v1.1.0
BenignSet up feelgoodbot file integrity monitoring for macOS.
11.2K downloads1.2K installsby @kris-hansen
Setup & Installation
Install command
clawhub install kris-hansen/feelgoodbotIf the CLI is not installed:
Install command
npx clawhub@latest install kris-hansen/feelgoodbotOr install with OpenClaw CLI:
Install command
openclaw skills install kris-hansen/feelgoodbotor paste the repo link into your assistant's chat
Install command
https://github.com/openclaw/skills/tree/main/skills/kris-hansen/feelgoodbotWhat This Skill Does
feelgoodbot monitors file integrity on macOS and adds TOTP step-up authentication for AI agent actions. It watches system binaries, shell configs, SSH keys, and AI agent configs for tampering and sends alerts when changes are detected. Agents can require a one-time password from Google Authenticator before executing sensitive operations like payments, deletions, or SSH connections.
Combines passive file integrity monitoring with active per-action OTP gating in a single tool built for macOS agent workflows, rather than requiring separate utilities for each concern.
When to Use It
- Detecting unauthorized changes to shell config files
- Requiring OTP confirmation before an agent sends an email
- Monitoring launch daemons for persistence mechanisms added by malware
- Gating agent-initiated file deletions behind step-up authentication
- Auditing AI agent configs like Claude or Cursor for unexpected modifications
View original SKILL.md file
# feelgoodbot ๐ก๏ธ
**Pronounced "Feel good, bot"**
macOS file integrity monitor + TOTP step-up authentication for AI agents.
**GitHub:** https://github.com/kris-hansen/feelgoodbot
โญ **If you find this useful, please star the repo!** It helps others discover it.
## Features
1. **File Integrity Monitoring** โ Detects tampering of system files
2. **TOTP Step-Up Auth** โ Requires OTP for sensitive agent actions
---
## Part 1: File Integrity Monitoring
### Requirements
- **Go 1.21+** โ Install with `brew install go`
- **macOS** โ Uses launchd for daemon
### Quick Setup
```bash
# Install via go install
go install github.com/kris-hansen/feelgoodbot/cmd/feelgoodbot@latest
# Initialize baseline snapshot
feelgoodbot init
# Install and start daemon
feelgoodbot daemon install
feelgoodbot daemon start
# Check it's running
feelgoodbot status
```
### Clawdbot Integration (Alerts)
Enable webhooks:
```bash
clawdbot config set hooks.enabled true
clawdbot config set hooks.token "$(openssl rand -base64 32)"
clawdbot gateway restart
```
Configure `~/.config/feelgoodbot/config.yaml`:
```yaml
scan_interval: 5m
alerts:
clawdbot:
enabled: true
webhook: "http://127.0.0.1:18789/hooks/wake"
secret: "<hooks.token from clawdbot config get hooks.token>"
local_notification: true
```
### What It Monitors
- System binaries (`/usr/bin`, `/usr/sbin`)
- Launch daemons/agents (persistence mechanisms)
- SSH authorized_keys, sudoers, PAM
- Shell configs (`.zshrc`, `.bashrc`)
- Browser extensions
- AI agent configs (Claude, Cursor)
---
## Part 2: TOTP Step-Up Authentication
Step-up auth requires the user to enter an OTP code from Google Authenticator before the agent can perform sensitive actions.
### Setup (User runs in terminal)
```bash
# Initialize TOTP (shows QR code to scan)
feelgoodbot totp init --account "user@feelgoodbot"
# Verify it works
feelgoodbot totp verify
# Check status
feelgoodbot totp status
```
### Configure Protected Actions
```bash
# List current protected actions
feelgoodbot totp actions list
# Add actions that require step-up
feelgoodbot totp actions add "send_email"
feelgoodbot totp actions add "payment:*"
feelgoodbot totp actions add "delete:*"
feelgoodbot totp actions add "ssh:*"
feelgoodbot totp actions add "publish:*"
feelgoodbot totp actions add "gateway:*"
feelgoodbot totp actions add "voice_call:*"
feelgoodbot totp actions add "message:external"
# Remove an action
feelgoodbot totp actions remove "send_email"
```
### TOTP Commands
| Command | Description |
|---------|-------------|
| `feelgoodbot totp init` | Set up TOTP with QR code |
| `feelgoodbot totp verify [code]` | Test a code |
| `feelgoodbot totp status` | Show TOTP status and session |
| `feelgoodbot totp check <action>` | Check if action needs step-up, prompt if needed |
| `feelgoodbot totp reset` | Remove TOTP config (requires code) |
| `feelgoodbot totp backup show` | Show remaining backup codes |
| `feelgoodbot totp backup regenerate` | Generate new backup codes |
| `feelgoodbot totp actions list` | List protected actions |
| `feelgoodbot totp actions add <action>` | Add protected action |
| `feelgoodbot totp actions remove <action>` | Remove protected action |
| `feelgoodbot totp respond <code>` | Submit OTP response (for async flow) |
### Session Caching
After successful authentication, a session is cached for 15 minutes (configurable). Subsequent actions within this window don't require re-authentication.
---
## Agent Integration (IMPORTANT)
**Before performing any sensitive action, the agent MUST check step-up requirements.**
### Action Mapping
Map your intended actions to step-up patterns:
| Agent Action | Step-Up Pattern |
|--------------|-----------------|
| Sending email | `send_email` |
| Making payments | `payment:*` |
| Deleting files | `delete:*` |
| SSH/remote access | `ssh:*` |
| Publishing code | `publish:*` |
| Modifying Clawdbot config | `gateway:*` |
| Making phone calls | `voice_call:*` |
| Messaging external contacts | `message:external` |
| Modifying step-up config | `config:update` |
### Step-Up Check Flow
**Before executing a sensitive action:**
```bash
# Check if action requires step-up (non-interactive check)
feelgoodbot totp check <action>
# Exit code 0 = proceed, Exit code 1 = denied/not authenticated
```
**If session is valid:** Command succeeds immediately (exit 0)
**If step-up required and no session:**
1. Agent sends Telegram message: "๐ Action `<action>` requires step-up. Reply with your OTP code."
2. Wait for user to reply with 6-digit code
3. Validate: `feelgoodbot totp verify <code>`
4. If valid, create session and proceed
5. If invalid, deny action and notify user
### Example Agent Flow (Pseudocode)
```
function performSensitiveAction(action, execute_fn):
# Check step-up requirement
result = exec("feelgoodbot totp check " + action)
if result.exit_code == 0:
# Session valid or action not protected
execute_fn()
return success
# Need to prompt user
send_telegram("๐ Action '{action}' requires step-up authentication.\nReply with your OTP code from Google Authenticator.")
code = wait_for_user_reply(timeout=120s)
if code is None:
send_telegram("โฐ Step-up authentication timed out. Action cancelled.")
return denied
# Validate the code
valid = exec("feelgoodbot totp verify " + code)
if valid.exit_code != 0:
send_telegram("โ Invalid code. Action cancelled.")
return denied
# Create session by running check again (it will pass now)
exec("feelgoodbot totp check " + action)
execute_fn()
send_telegram("โ
Action completed.")
return success
```
### Quick Reference for Agent
**Check before these actions:**
- `send_email` โ Before sending any email
- `payment:*` โ Before any financial transaction
- `delete:*` โ Before deleting files (`delete:file`, `delete:backup`, etc.)
- `ssh:*` โ Before SSH connections
- `publish:*` โ Before publishing/deploying
- `gateway:*` โ Before modifying Clawdbot config
- `voice_call:*` โ Before making phone calls
- `message:external` โ Before messaging non-owner contacts
- `config:update` โ Before modifying step-up config
**Commands to use:**
```bash
# Check and prompt (interactive)
feelgoodbot totp check send_email
# Just validate a code
feelgoodbot totp verify 123456
# Check session status
feelgoodbot totp status
```
---
## File Locations
| File | Purpose |
|------|---------|
| `~/.config/feelgoodbot/config.yaml` | Main config |
| `~/.config/feelgoodbot/totp.json` | TOTP secret + backup codes |
| `~/.config/feelgoodbot/stepup-config.json` | Protected actions |
| `~/.config/feelgoodbot/totp-session` | Session cache |
| `~/.config/feelgoodbot/snapshots/` | File integrity baselines |
| `~/.config/feelgoodbot/daemon.log` | Daemon logs |
---
## Troubleshooting
**TOTP code always invalid:**
- Check system clock is accurate (`date`)
- Ensure you're using the correct authenticator entry
- Try a backup code
**Step-up not prompting:**
- Verify action is in protected list: `feelgoodbot totp actions list`
- Check TOTP is initialized: `feelgoodbot totp status`
**Reset everything:**
```bash
# Reset TOTP (requires valid code or backup code)
feelgoodbot totp reset
# Or manually remove (loses access without backup codes!)
rm ~/.config/feelgoodbot/totp.json
rm ~/.config/feelgoodbot/totp-session
```
---
โญ **Like feelgoodbot?** Star it on GitHub: https://github.com/kris-hansen/feelgoodbot
Example Workflow
Here's how your AI assistant might use this skill in practice.
INPUT
User asks: Detecting unauthorized changes to shell config files
AGENT
- 1Detecting unauthorized changes to shell config files
- 2Requiring OTP confirmation before an agent sends an email
- 3Monitoring launch daemons for persistence mechanisms added by malware
- 4Gating agent-initiated file deletions behind step-up authentication
- 5Auditing AI agent configs like Claude or Cursor for unexpected modifications
OUTPUT
Set up feelgoodbot file integrity monitoring for macOS.
Security Audits
VirusTotalBenign
OpenClawBenign
View full reportThese signals reflect official OpenClaw status values. A Suspicious status means the skill should be used with extra caution.