Telegram Bot Manager
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Telegram bot token shown in terminal output can be captured in logs, agent transcripts, screenshots, or shared support output; anyone with the token can control that bot.
The script prints the full user-supplied bot token back to stdout in a suggested command.
print(f" Or: export TELEGRAM_BOT_TOKEN={bot_token}")Do not echo full tokens. Replace this with a placeholder or masked value, and advise users to set the token through a secure secret mechanism.
The bot credential persists on disk and may also be present in configuration backups.
The setup script stores the Telegram bot token in the OpenClaw configuration, which is expected for this integration but remains sensitive.
'token': bot_token
Restrict file permissions on the OpenClaw config and backup files, avoid sharing them, and rotate the token if it may have been exposed.
Running the script can change OpenClaw behavior by enabling the Telegram plugin and restarting the gateway.
Running the setup script writes OpenClaw configuration and restarts the gateway.
json.dump(config, f, indent=2) ... subprocess.run(['openclaw', 'gateway', 'restart']
Run it only when you intend to enable Telegram integration, review the generated config, and keep the backup until you confirm the setup works.
The helper scripts run locally with the user's permissions and can modify local OpenClaw files.
The documented setup flow asks the user to execute bundled Python helper code.
python3 telegram-bot-manager/scripts/setup_bot.py
Review the bundled scripts before running them, especially because the registry source is listed as unknown.
A webhook endpoint can receive internet traffic and must be secured so only legitimate Telegram requests are accepted.
The webhook setup guide describes exposing an OpenClaw-backed endpoint for Telegram webhook delivery.
Public HTTPS endpoint ... OpenClaw accessible from internet
Use HTTPS, a strong Telegram webhook secret token, firewall or IP allow-listing where practical, and monitor gateway logs.