Openclaw Telegram Chat

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Telegram setup guide with expected bot-token and group-permission steps, but users should handle those permissions carefully.

Use a dedicated Telegram bot, keep the bot token private, avoid committing it to repositories, restrict allowed_chats to intended groups, grant only the minimum admin permissions needed, and disable privacy mode only in trusted groups where members understand the bot may see more messages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The guide instructs users to place a Telegram Bot Token directly into configuration but never warns that the token is a secret credential. In practice, users may paste real tokens into tracked files, screenshots, chat messages, or public repositories, allowing anyone who obtains the token to control the bot and access or impersonate its communications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal