telegram-bot-chat
ReviewAudited by ClawScan on May 10, 2026.
Overview
The Telegram multi-bot chat purpose is clear, but the deployment instructions would copy every installed skill into every bot workspace, which could spread unwanted behavior across agents.
Review and edit the deployment commands before use. In particular, avoid copying all skills to all bot workspaces; copy only this skill to named destinations. Use dedicated Telegram bot tokens, restrict group permissions, and require confirmation before agents send messages to Telegram groups.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A single unwanted or unsafe skill in the main workspace could be installed into all bot workspaces, changing multiple agents' behavior at once.
The default multi-bot deployment loop copies every skill from the main workspace into every matching workspace, not just this skill. That can propagate unrelated or unreviewed agent capabilities across multiple bots.
for skill_dir in $WORKSPACE_SKILLS/*/; do ... for workspace_dir in /root/.openclaw/workspace*; do ... cp -r "$skill_dir" "$workspace_dir/skills/"
Do not run the script as-is. Change it to copy only telegram-bot-chat to explicitly selected bot workspaces, exclude the main workspace, and review each destination before copying.
Bots using this skill may post messages into Telegram groups through configured bot accounts.
The skill instructs agents to use the message tool to send Telegram group messages. This is purpose-aligned, but it can create externally visible group posts.
message(action="send", channel="telegram", accountId="自己的bot accountId", target="群ID", message="你的回复内容")
Limit use to intended Telegram groups and consider requiring user approval before agents send public or group-visible messages.
Anyone controlling the configured bot account can send messages with that bot's Telegram permissions.
The skill depends on Telegram bot tokens, group permissions, and account IDs, even though the registry metadata declares no primary credential. This is expected for the Telegram use case but should be noticed.
每个bot必须在`channels.telegram.accounts`中有完整配置:- botToken - 群聊权限 - 正确的accountId
Use dedicated bot tokens with the minimum necessary group permissions, and rotate or revoke tokens if a workspace is no longer trusted.
Messages sent through this workflow may be seen by other bots and by the Telegram group.
The core workflow routes content between agents and then to a Telegram group. This is the stated purpose, but it creates an inter-agent communication path where sensitive content could be shared if misused.
botA → sessions_send → botB收到 → botB回复 → OpenClaw announce → 群聊显示
Avoid sending secrets or private workspace data through these sessions unless all participating bots and the Telegram group are trusted.