--- name: add-secure-reveal description: Add TOTP identity verification to NanoClaw. Protects sensitive information (API keys, passwords, tokens) behind a 6-digit dynamic code from an Authenticator App. Secret messages auto-delete after 10 seconds. --- # Add Secure Reveal — TOTP Identity Verification This skill sets up TOTP-based identity verification on your NanoClaw instance. After setup, Claude will challenge you with a 6-digit dynamic code before revealing any sensitive information, and auto-delete the secret message after 10 seconds. ## What It Does - 🔐 Requires TOTP verification (Google Authenticator / Authy / any TOTP app) before revealing secrets - ⏱️ Auto-deletes secret messages after 10 seconds - 🚫 Never reveals API keys, passwords, or tokens without successful verification - 🔄 Works with Telegram (adaptable to other channels) ## Phase 1: Pre-flight Check if already installed: ```bash ls ~/.claude/skills/secure-reveal/SKILL.md 2>/dev/null && echo "Already installed" || echo "Not installed" ``` Check dependencies: ```bash # Check uvx available uvx --version 2>/dev/null || echo "uvx not found — will install" # Check pyotp available uvx --with pyotp python3 -c "import pyotp; print('pyotp ok')" 2>/dev/null || echo "pyotp not found — will install" ``` ## Phase 2: Generate TOTP Secret Install dependencies if needed: ```bash # Install uv/uvx if missing curl -LsSf https://astral.sh/uv/install.sh | sh export PATH="$HOME/.local/bin:$PATH" ``` Generate secret and QR code: ```bash uvx --with pyotp --with qrcode --with pillow python3 << 'EOF' import pyotp, qrcode secret = pyotp.random_base32() totp = pyotp.TOTP(secret) # Customize issuer_name and name as desired uri = totp.provisioning_uri(name='Me', issuer_name='NanoClaw') qr = qrcode.make(uri) qr.save('/tmp/totp_qr.png') print(f'SECRET={secret}') print(f'Current code: {totp.now()}') print(f'QR saved to: /tmp/totp_qr.png') EOF ``` Use `AskUserQuestion` to ask: - Have you scanned the QR code with your Authenticator App? - Enter the 6-digit code shown in the app to confirm binding Verify the code: ```bash TOTP_SECRET="" USER_CODE="" uvx --with pyotp python3 -c " import pyotp totp = pyotp.TOTP('${TOTP_SECRET}') valid = totp.verify('${USER_CODE}', valid_window=1) print('VALID' if valid else 'INVALID') " ``` If INVALID, ask the user to try again with the next code. ## Phase 3: Store TOTP Secret ```bash # Store securely in group workspace echo "TOTP_SECRET=" > /workspace/group/secure-config.enc echo "AUTH_TYPE=totp" >> /workspace/group/secure-config.enc chmod 600 /workspace/group/secure-config.enc ``` Add to .gitignore (never commit the secret): ```bash grep -q "secure-config.enc" /workspace/group/.gitignore 2>/dev/null || \ echo "secure-config.enc" >> /workspace/group/.gitignore ``` ## Phase 4: Install the Skill Create the skill directory and SKILL.md: ```bash mkdir -p /workspace/project/.claude/skills/secure-reveal ``` Write the following content to `/workspace/project/.claude/skills/secure-reveal/SKILL.md`: Replace `YOUR_BOT_TOKEN` and `YOUR_CHAT_ID` with the user's actual Telegram credentials. Replace `YOUR_SECRET_KEY` and `YOUR_SECRET_ENV_FILE` with the appropriate secret name and path. ```markdown --- name: secure-reveal description: Verify user identity before revealing sensitive information (API keys, passwords, tokens, credentials). Always use this skill when the user asks about any secret, key, password, token, or credential. Never reveal sensitive information without completing identity verification first. --- # Secure Reveal — TOTP Identity Verification ## When to Trigger Automatically activate this skill whenever the user asks about: - API keys, secret keys, tokens - Passwords, credentials, auth tokens - Bot tokens, webhook secrets - Any sensitive configuration values Keywords: key, password, token, secret, credentials, 密钥, 密码 ## Verification Flow ### Step 1 — Send TOTP Challenge CHALLENGE_MSG_ID=$(curl -s -X POST "https://api.telegram.org/bot YOUR_BOT_TOKEN/sendMessage" \ -d chat_id="YOUR_CHAT_ID" \ -d text="🔐 Identity Verification — enter your 6-digit Authenticator code." \ | python3 -c "import sys,json; print(json.load(sys.stdin)['result']['message_id'])") ### Step 2 — Wait for User's 6-Digit Code Do NOT reveal any secrets until verified. ### Step 3 — Verify TOTP export PATH="$HOME/.local/bin:$PATH" TOTP_SECRET=$(grep TOTP_SECRET /workspace/group/secure-config.enc | cut -d= -f2) RESULT=$(uvx --with pyotp python3 -c " import pyotp totp = pyotp.TOTP('${TOTP_SECRET}') print('VALID' if totp.verify('USER_INPUT', valid_window=1) else 'INVALID') ") ### Step 4 — If VALID: Send Secret (auto-deletes in 10s) SECRET=$(grep YOUR_SECRET_KEY YOUR_SECRET_ENV_FILE | cut -d= -f2) SECRET_MSG_ID=$(curl -s -X POST "https://api.telegram.org/bot YOUR_BOT_TOKEN/sendMessage" \ -d chat_id="YOUR_CHAT_ID" \ -d text="🔑 ${SECRET} — ⏱ Auto-deletes in 10s" \ | python3 -c "import sys,json; print(json.load(sys.stdin)['result']['message_id'])") sleep 10 curl -s -X POST "https://api.telegram.org/bot YOUR_BOT_TOKEN/deleteMessage" -d chat_id="YOUR_CHAT_ID" -d message_id="${SECRET_MSG_ID}" curl -s -X POST "https://api.telegram.org/bot YOUR_BOT_TOKEN/deleteMessage" -d chat_id="YOUR_CHAT_ID" -d message_id="${CHALLENGE_MSG_ID}" ### Step 5 — If INVALID: Deny curl -s -X POST "https://api.telegram.org/bot YOUR_BOT_TOKEN/sendMessage" \ -d chat_id="YOUR_CHAT_ID" \ -d text="❌ Invalid code. Access denied." ## Rules - NEVER reveal secrets without TOTP verification - ALWAYS delete secret message after 10 seconds - TOTP valid_window=1 allows ±30s clock drift tolerance ``` ## Phase 5: Confirm Tell the user: - ✅ TOTP secret stored securely - ✅ secure-reveal skill installed - ✅ secure-config.enc protected from git - Next time they ask about a key/password, TOTP verification will be required Clean up QR code: ```bash rm -f /tmp/totp_qr.png ``` ## Recovery If the user loses access to their Authenticator App: - Re-run this skill to generate a new TOTP secret - Re-scan the QR code on the new device - The old secret will be overwritten in secure-config.enc