Back to skill

Security audit

Telegram Bot Manager

Security checks across malware telemetry and agentic risk

Overview

This Telegram setup skill appears purpose-aligned, but it needs Review because it handles bot tokens in ways that can expose them and changes local OpenClaw configuration/service state.

Review the scripts before running them. Use a dedicated Telegram bot token, avoid passing tokens on the command line, avoid shared terminals/screenshots, restrict permissions on OpenClaw config and backup files, and rotate any token that may have appeared in logs, shell history, or terminal output. Do not assume this is an official OpenClaw publisher package solely from the author field.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill content demonstrates shell and network operations and references reading/writing configuration and test scripts, but it declares no permissions. This creates a dangerous transparency gap: users and policy engines may authorize or execute the skill without understanding that it can access files, modify configuration, and make outbound requests involving sensitive bot tokens.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose sounds like benign Telegram setup and validation, but the detected behavior includes local config modification, backup creation, packaging arbitrary skill contents, and restarting a local service. That mismatch is dangerous because it can hide privileged system changes behind an innocuous description, increasing the chance of unintended execution and abuse, especially where bot tokens and service availability are involved.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script prints the full bot token in the 'export TELEGRAM_BOT_TOKEN=...' example, exposing a secret in terminal output, shell history, logging pipelines, and screen recordings. This undermines the later security warning and can lead to bot takeover if the token is observed or retained by terminal/session logging.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to pass the Telegram bot token directly as a command-line argument, which can expose the secret through shell history, process listings, audit logs, and terminal recording tools. Because this is a long-lived bot credential for a network-connected integration, disclosure could let an attacker control or impersonate the bot until the token is rotated.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation shows a realistic Telegram bot token format directly in configuration examples, which can normalize placing secrets in plaintext files and may lead users to copy, store, or share real credentials insecurely. In a bot-management skill, this is more dangerous because the primary audience is actively handling live bot tokens and may reuse the example pattern without applying proper secret hygiene.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The environment-variable example includes a credential-like token in a shell `export` command without warning about shell history, process exposure, or secure secret-loading practices. Because this skill is specifically for Telegram bot setup, users are likely to run these commands verbatim with real tokens, increasing the chance of local secret leakage or accidental disclosure in terminal logs and shared troubleshooting output.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script stores the bot token in a local JSON config file without first informing the user that a long-lived credential will be written to disk. If file permissions are weak, backups are copied elsewhere, or the host is shared, the token can be recovered and used to control the Telegram bot.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Displaying the full bot token in a suggested shell export command directly leaks the secret to stdout and potentially to shell scrollback, transcripts, remote support tools, and screenshots. For a bot token, exposure is sufficient to allow unauthorized use of the bot API.

Ssd 3

Low
Confidence
88% confidence
Finding
The documentation repeatedly instructs users to place bot tokens directly into config examples and shows realistic token values, which encourages insecure secret handling patterns even if the examples are not live credentials. The surrounding skill context increases relevance because it is operational guidance for a production integration where credential misuse can lead to bot takeover, impersonation, or abuse of the Telegram integration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.