My AI Agent Has a Kill Switch Now
Like many dotcom Gen-X hipsters this week, I'm playing with OpenClaw - an AI agent in a Slack channel where I'm the only member. I can reach it from my phone. It has shell access to a Linux workstation in my barn. Useful for checking the next Puget Sound ferry departure from the grocery store, or adding a coworker to a GitHub repo while I'm out.
Also terrifying.
Prompt injection is real. System instructions aren't a security boundary. If someone sits at my desk while I'm getting coffee, they're me as far as the agent knows. If someone grabs my phone, same problem.
So I built otp-challenger - TOTP verification for AI agents.
How it works
Before sensitive commands, the agent asks for a 6-digit code from my authenticator app. Same TOTP you use for GitHub or AWS. The verification lasts 24 hours, then expires.
Three layers:
1. Pre-emptive gating. The agent won't run kubectl apply or terraform destroy without checking if I've verified recently.
2. Output filtering. An interceptor scans responses for secrets - AWS keys, GitHub tokens, SSH private keys. If found and I'm not verified, the response gets blocked before it reaches the chat.
3. Failure hooks. Three wrong codes in a row? Run a script. Mine sends a Slack alert and kills the agent. If someone's impersonating me, the whole thing shuts down.
The paranoid case
I work from home. My laptop stays logged in. If someone breaks in while I'm out, they have my terminal, my agent, my credentials. (Yes, my screen locks. Work with me here.)
With otp-challenger, they also need my phone. Without the code, the agent refuses dangerous operations and won't leak secrets it finds. If they guess wrong three times, the agent dies and I get notified.
Overkill? Probably. But I sleep better.
Try it
Install from ClawHub or grab the source on GitHub.
Built for OpenClaw but works with any agent that can run shell scripts. Call verify.sh and check-status.sh directly, or use OpenClaw's native hook support.
Built with Claude. Tested against Gemini. Paranoia my own.