ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Telegram Bot Manager

v1.0.0

Manage and configure Telegram bots for OpenClaw. Use when setting up Telegram integrations, troubleshooting bot connectivity, configuring bot tokens, or managing Telegram channel/webhook settings. Handles bot registration, token validation, and network connectivity checks for api.telegram.org.

0· 1.6k·7 current·7 all-time
byOpenClaw@362224222
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, README, and scripts all align: the skill sets up Telegram bots, validates tokens, tests connectivity, and configures OpenClaw. Required files and paths (/home/openclaw/.openclaw/*) are consistent with modifying OpenClaw configuration for a Telegram plugin.
Instruction Scope
SKILL.md and scripts instruct the agent/operator to collect a bot token, run network tests (curl/nslookup), update the OpenClaw configuration file, and restart the OpenClaw gateway. These actions are in-scope for configuring a Telegram integration, but they do include writing a plaintext token into a system config and restarting a service — users should be aware of those side effects before running the scripts.
Install Mechanism
There is no install spec and the package is instruction-and-script only. Provided packaging script only zips the skill contents. No remote downloads, no external installers, and no code-obfuscation or unusual install behavior were found.
Credentials
The skill does not declare required environment variables but the scripts accept TELEGRAM_BOT_TOKEN (or prompt for a token). That is proportionate to the stated purpose. No unrelated credentials or broad secrets are requested.
Persistence & Privilege
The scripts modify OpenClaw's configuration file at /home/openclaw/.openclaw/openclaw.json and attempt to restart the OpenClaw gateway (openclaw gateway restart). This is expected for configuration tasks but is a privileged operation on the host — the skill does not set always:true and does not persist beyond updating the OpenClaw config.
Assessment
This skill appears coherent and implements a standard Telegram setup workflow, but before installing or running it: 1) Review and trust the source — the script will write the bot token into /home/openclaw/.openclaw/openclaw.json (plaintext) and restart the OpenClaw gateway. 2) Back up your OpenClaw config (the script attempts a backup, but verify it) and run in a staging environment first. 3) Provide the token via an environment variable or interactively; avoid pasting tokens into shared logs or VCS. 4) Confirm the machine has the openclaw CLI and Python requests available; the scripts will call openclaw to restart the gateway. 5) After testing, consider rotating the bot token if you exposed it during setup. If you need lower privilege testing, run test_bot.py with a test bot token in a non-production environment to verify connectivity first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97899emjvzm4d0e61tbmk8ath80hqt8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments