CreateTelegramClawAgent

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This instruction-only skill transparently helps create a Telegram bot agent after user confirmation, but users should handle the bot token and OpenClaw configuration changes carefully.

Use this skill only if you intend to create a Telegram-connected OpenClaw agent. Before confirming, check the proposed openclaw.json edits, protect the Telegram bot token, and review the generated AGENTS.md and SOUL.md files.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse

Medium

What this means

If the token is exposed, someone else could control the Telegram bot.

Why it was flagged

The skill asks the user for a Telegram bot credential and stores it in the generated OpenClaw configuration. This is necessary for the Telegram integration, but the token grants control of the bot.

Skill content

Telegram Bot Token (required) ... "botToken": "<full-bot-token>" ... Anyone with your token can control your bot.

Recommendation

Only provide the token in a trusted environment, review where it will be stored, and rotate the token with BotFather if it is accidentally exposed.

#ASI02: Tool Misuse and Exploitation

Low

What this means

The skill can change which agents exist and how Telegram messages are routed in OpenClaw.

Why it was flagged

The skill instructs the agent to modify local OpenClaw configuration and create files, but it also requires explicit user confirmation before doing so.

Skill content

Only proceed after user explicitly confirms ... Create directories ... Update openclaw.json ... Create agent files

Recommendation

Review the proposed openclaw.json changes before confirming and consider backing up the file first.

#ASI06: Memory and Context Poisoning

Low

What this means

Overly broad or unsafe wording in the generated agent files could affect how the Telegram agent behaves later.

Why it was flagged

The skill creates persistent instruction files based on the requested agent purpose, which will influence future behavior of the new agent.

Skill content

Create agent files: - AGENTS.md - Work responsibilities and workflow - SOUL.md - Agent personality and values

Recommendation

Read the generated AGENTS.md and SOUL.md before using the bot, and keep the agent's responsibilities narrow and explicit.