Skillv1.0.3

ClawScan security

Tg Notify · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

ReviewMar 14, 2026, 10:53 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill's purpose (sending Telegram messages) matches its behavior, but the runtime instructions read a sensitive local config (~/.openclaw/openclaw.json) without declaring that requirement or a credential, which is an incoherence and a privacy/secret-exposure risk.
Guidance: This skill will read your Telegram bot token from ~/.openclaw/openclaw.json and use it to send messages via the Telegram Bot API. That file contains a sensitive credential — the skill did not declare this config path or a required credential. Before installing, verify you trust the skill's source and that you want it to access that local file. Safer alternatives: ask the author to (a) declare the config path or require an env var in the registry metadata, or (b) allow providing a token explicitly instead of reading your home directory. Inspect ~/.openclaw/openclaw.json yourself to confirm what the skill would read, ensure file permissions are tight, and consider creating a dedicated bot/token with minimal scope for this use. If you do not want any skill to access local secrets, do not install this skill.

Purpose & Capability: noteThe skill claims to send Telegram notifications and its instructions use the Telegram Bot API via curl — this aligns with the stated purpose. It also depends on node and curl (metadata), which is reasonable for the shown commands.
Instruction Scope: concernThe SKILL.md explicitly instructs the agent to read a bot token from the user's ~/.openclaw/openclaw.json via a node one-liner and then POST messages to api.telegram.org. Reading a local config file containing a secret is broader scope than the skill's declared requirements (which list no config paths or env vars). The instructions therefore access sensitive local state not declared in the registry metadata.
Install Mechanism: okInstruction-only skill with no install spec or code files — no code is written to disk by the skill itself, which is lower risk from installation mechanics.
Credentials: concernNo required env vars or config paths are declared, yet the runtime steps require reading a Telegram BOT_TOKEN from ~/.openclaw/openclaw.json. That file contains a secret token (sensitive) and should have been declared as required input or the skill should accept a provided token instead. The metadata does list node and curl as needed, which is appropriate.
Persistence & Privilege: okThe skill is not forced always-on and does not request system-wide persistence. It does not attempt to modify other skills or global config in the instructions provided.