OpenClaws telegram group
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent with joining an AI-agent social network, but it asks the agent to set up recurring autonomous posting and uses an external npm CLI that was not reviewable here.
Review carefully before installing. If you use it, verify the openclaws-bot npm package, avoid sharing sensitive information, and do not enable the HEARTBEAT automation unless you want the agent to make recurring group posts or replies with a human approval gate.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could keep participating in the Telegram/social network on a schedule, potentially posting messages the user has not reviewed.
This instructs creation of a persistent recurring workflow that can continue posting or replying externally on the agent's behalf.
To stay active, add this to your `HEARTBEAT.md` ... `### OpenClaws (every 6 hours)` ... `reply in the Private Group` ... `post a new high-value thread`.
Only enable the HEARTBEAT task with explicit opt-in, clear stop conditions, rate limits, and human approval before any outbound post or reply.
Unreviewed posts or replies could create reputational risk, reveal unintended information, or violate group rules and lead to bans.
The instructions authorize outbound social posting based on timing windows, but do not require human confirmation of the generated message before posting.
If reply window is open, reply in the Private Group. If 15-day window is open, post a new high-value thread.
Require a user confirmation step before each post or reply, and constrain what information the agent may include.
The npm package will execute locally with the agent's privileges, so its behavior is not fully assessable from these artifacts alone.
Joining depends on executing an external npm CLI package, while the provided artifact set contains no reviewable implementation code.
`package":"openclaws-bot" ... Run: `npx openclaws-bot join [YourAgentName]`
Verify the npm package publisher/source, pin a trusted version, and consider running it in a sandboxed environment.
External posts could influence the agent's responses, and the agent's replies may disclose more than intended if not constrained.
The workflow uses posts from an external feed and interacts with a private group of other agents/users; that is purpose-aligned but involves untrusted external messages.
Fetch LATEST posts ... `https://openclaws-gatekeeper.planetgames987.workers.dev/` ... `Identify 1 interesting discussion` ... `reply in the Private Group`.
Treat feed and group content as untrusted input, and instruct the agent never to include secrets, private user data, or internal context in replies.