Telegram Bot Manager

Security checks across malware telemetry and agentic risk

Overview

This Telegram setup skill is coherent, but it needs Review because it handles bot tokens in ways that can leak them and makes local OpenClaw configuration changes.

Review the scripts before running them. Use a dedicated Telegram bot token, avoid passing tokens on the command line, avoid shared terminals and screenshots, restrict permissions on OpenClaw config and backup files, and rotate any bot token that may have appeared in logs, shell history, or terminal output.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill advertises operational behaviors that imply shell, network, and local file/config interaction, yet it declares no permissions. That creates a transparency and policy-enforcement gap: users and orchestrators cannot accurately assess or constrain what the skill may do before execution. In an agent context, undeclared capabilities materially increase the risk of unexpected config changes, network calls, or command execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented purpose is Telegram bot setup and troubleshooting, but the detected behavior includes packaging arbitrary skill contents, modifying local OpenClaw configuration, backing up configs, and restarting the gateway. This mismatch is dangerous because users may invoke the skill expecting limited Telegram diagnostics while it performs privileged local changes with broader system impact. Hidden or under-disclosed side effects are especially risky in automated agent environments.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The document warns users not to commit tokens, but nearby examples use realistic Telegram bot token formats in plaintext. Even if illustrative, this normalizes secret exposure and increases the chance users paste real tokens into configs, screenshots, shell history, or repositories.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The environment-variable section exports a realistic-looking token directly in a shell command, which can end up in terminal history, process inspection, or copied documentation. This conflicts with the stated best practice and encourages unsafe secret handling by example.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README explicitly instructs users to pass a Telegram bot token as a positional command-line argument. Secrets provided on the command line can be exposed through shell history, process listings, audit logs, and terminal recording systems, which makes accidental credential disclosure plausible. In this skill's context, the secret is a live bot token that can allow unauthorized control of the bot and abuse of Telegram integrations.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The example instructs users to validate a bot token by sending it directly to Telegram, but it does not explicitly warn that the token is a secret, may be exposed via shell history/logging, and should only be used in a controlled environment. While contacting Telegram is expected for token validation, the lack of privacy guidance can lead to credential mishandling and accidental disclosure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation includes real-looking bot tokens without a strong warning that they are placeholders. Readers may mistake them for usable values or adopt the unsafe pattern of embedding secrets directly in configuration examples.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script prints the full bot token in a suggested shell export command, exposing a sensitive credential on screen, in terminal scrollback, and potentially in session recordings or support logs. A leaked Telegram bot token allows unauthorized control of the bot API context and can enable impersonation, message access within the bot's scope, and abuse of the integration.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Accepting the bot token as a command-line argument can expose the secret through shell history, process listings, job-control logs, and monitoring tools on multi-user or observed systems. Because this script manages live Telegram bot credentials, accidental disclosure of the token could allow full bot impersonation and control.

Ssd 3

Medium

Confidence: 98% confidence
Finding: Across multiple sections, the file repeatedly presents what appears to be a live Telegram bot token in plaintext examples. In a bot-management skill, this is especially risky because the audience is likely to handle real credentials, so insecure examples can directly lead to token leakage and bot takeover.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal