Telegram Group Chat Setup
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: tg-groupchat-setup Version: 1.0.0 The skill is classified as suspicious due to its use of high-risk capabilities, including reading sensitive credentials (Telegram bot token) from the agent's configuration file (`$HOME/.clawdbot/moltbot.json`) via `scripts/detect_bot_info.sh` and making external network calls to `https://api.telegram.org`. Additionally, the `SKILL.md` explicitly instructs the AI agent to access and modify its own core configuration using `gateway action: "config.get"` and `gateway action: "config.patch"`. While these actions are plausibly aligned with the stated purpose of configuring a Telegram bot, they represent powerful capabilities that could be misused, lacking the clear benign safety of a 'benign' classification, but without explicit evidence of malicious intent like exfiltration to unauthorized endpoints.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can access a Telegram bot token from local configuration. That is expected for this setup, but the token is sensitive because it represents bot account authority.
The helper reads a local gateway config, extracts the Telegram bot token, and sends it to Telegram's official Bot API to identify the bot.
CONFIG_PATH="${CLAWDBOT_CONFIG_PATH:-$HOME/.clawdbot/moltbot.json}" ... token = tg.get('botToken', '') ... curl -s "https://api.telegram.org/bot${BOT_TOKEN}/getMe"Run this only in a trusted environment, verify the config path, and avoid sharing logs or command output that could expose the bot token.
A wrong group ID, allowed-user list, or mention pattern could make the bot respond in the wrong group or to the wrong people.
The skill instructs the agent to modify gateway routing and response-gating configuration for Telegram groups.
Use the `gateway` tool with `action: "config.patch"` ... `groupAllowFrom`: ["<user1>", "<user2>"] ... `mentionPatterns`: ["@bot_username", "bot_name", "@bot_name"]
Review the exact gateway patch before applying it, confirm the group ID and allowed users, and keep a backup of the current gateway config.
People in the Telegram group may have their messages visible to the bot for context, not just messages that directly mention it.
The setup intentionally routes Telegram group messages into the bot context after privacy mode is disabled, even though responses are gated by mentions.
With privacy mode OFF + `requireMention: true` in MoltBot config, the bot sees all messages (for context) but only responds when mentioned.
Only disable Telegram privacy mode for groups where members understand the bot can read group messages, and keep `requireMention` and sender allowlists enabled.