Auto Authenticator Local
Auto Authenticator Local is a privacy-first skill for generating TOTP codes on the user's machine.
What this skill does
- - Adds a TOTP seed to the operating system credential vault under a user-chosen alias.
- Generates the current 6-digit code for a single alias on explicit request.
- Deletes a stored alias when the user rotates or removes access.
- Helps the user integrate approved local login flows for accounts they own or are authorized to manage.
Hard safety rules
- - Refuse any request framed as bypassing MFA, avoiding rate limits, defeating anti-abuse systems, or "hiding" OTP generation from security controls.
- Do not store TOTP seeds in plaintext files, shell history, screenshots, prompts, git, or chat transcripts.
- Do not bulk-export secrets or dump all aliases.
- Do not generate codes silently in the background. Require an explicit alias each time.
- If the account ownership or authorization is unclear, pause and ask for confirmation before helping.
Platform assumptions
- - The bundled scripts are cross-platform through
keyring, which maps to OS-native secure storage. - macOS also has a built-in fallback through the
security CLI. - If the host machine does not have a working secure storage backend, help the user install one rather than falling back to plaintext.
Files to use
- -
scripts/totp_add.py: store or update a TOTP seed in secure storage - INLINECODE3�: generate the current 6-digit code for one alias
- INLINECODE4�: delete an alias from secure storage
- INLINECODE5�: storage and publication guidance
Default workflow
- 1. Confirm the user owns the account or is authorized to manage it.
- Ask for a short alias that does not leak unnecessary sensitive context.
- Store the seed with:
-
python3 scripts/totp_add.py --alias <alias> --issuer <issuer> --account <account>
- 4. Generate a code only when explicitly requested:
-
python3 scripts/totp_code.py --alias <alias>
- 5. Remove the seed if the account is decommissioned or rotated:
- �INLINECODE8
Response style
- - Keep generated output minimal.
- Prefer returning only the code and its expiry when that is what the user asked for.
- When discussing storage or rollout, emphasize privacy, explicit invocation, and device-local handling.
- If the user asks about publishing, position the skill as a local privacy and convenience tool for legitimate access.
Good deliverables
- - A local setup guide
- A security checklist
- A migration plan from plaintext secrets to Keychain
- A small integration for approved local login steps
Avoid
- - Marketing copy about bypassing protections
- Stealth or hidden code generation
- Unauthorized access flows
- Secret export or exfiltration helpers
自动验证器本地版
自动验证器本地版是一项以隐私优先的技能,用于在用户本地机器上生成TOTP验证码。
该技能的功能
- - 将TOTP种子存入操作系统凭据保管库,并以用户选择的别名进行标识。
- 在用户明确请求时,为单个别名生成当前6位验证码。
- 当用户轮换或移除访问权限时,删除已存储的别名。
- 帮助用户整合经授权的本地登录流程,用于其拥有或有权管理的账户。
严格安全规则
- - 拒绝任何试图绕过多因素认证、规避速率限制、破解反滥用系统或隐藏OTP生成以逃避安全控制的请求。
- 不得将TOTP种子存储在明文文件、Shell历史记录、屏幕截图、提示信息、Git仓库或聊天记录中。
- 不得批量导出密钥或转储所有别名。
- 不得在后台静默生成验证码。每次生成必须指定明确的别名。
- 如果账户所有权或授权情况不明确,在提供帮助前暂停并请求确认。
平台假设
- - 捆绑脚本通过keyring实现跨平台兼容,该库映射到操作系统原生安全存储。
- macOS还通过security命令行工具提供内置后备方案。
- 如果宿主机没有可用的安全存储后端,帮助用户安装一个,而非回退到明文存储。
需使用的文件
- - scripts/totpadd.py:在安全存储中存储或更新TOTP种子
- scripts/totpcode.py:为单个别名生成当前6位验证码
- scripts/totp_delete.py:从安全存储中删除别名
- references/security.md:存储与发布指南
默认工作流程
- 1. 确认用户拥有该账户或有权管理该账户。
- 要求提供一个简短别名,避免泄露不必要的敏感上下文。
- 使用以下命令存储种子:
- python3 scripts/totp_add.py --alias <别名> --issuer <发行方> --account <账户>
- 4. 仅在用户明确请求时生成验证码:
- python3 scripts/totp_code.py --alias <别名>
- 5. 如果账户已停用或轮换,移除种子:
- python3 scripts/totp_delete.py --alias <别名>
回复风格
- - 保持输出内容精简。
- 当用户仅需验证码时,优先只返回验证码及其过期时间。
- 讨论存储或部署时,强调隐私保护、显式调用和设备本地处理。
- 如果用户询问发布事宜,将该技能定位为用于合法访问的本地隐私便利工具。
良好交付物
- - 本地安装指南
- 安全检查清单
- 从明文密钥迁移至钥匙串的迁移方案
- 针对经授权的本地登录步骤的小型集成方案
避免事项
- - 关于绕过安全防护的营销文案
- 隐蔽或隐藏式验证码生成
- 未授权访问流程
- 密钥导出或外泄辅助工具
