ClawHub
Back to skill

Security audit

TG Channel Manager

Security checks across malware telemetry and agentic risk

Overview

This Telegram channel automation skill is broadly purpose-aligned, but it needs review because it handles bot credentials, scheduled public posting, and a system-level SearXNG installer with weak safeguards.

Install only if you intend an agent to manage a Telegram channel and possibly publish scheduled posts. Use a dedicated least-privileged bot token, avoid exposing tgcm/.config.json or command output, verify the target channel before enabling cron publishing, and avoid running the SearXNG startup helper unless you accept its unpinned system-level installation behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares executable capabilities that include environment access, file reads/writes, and network use, but does not declare corresponding permissions or boundaries. In a skill that handles bot tokens, local config persistence, and outbound Telegram/SearXNG requests, this lack of explicit permission signaling reduces reviewability and can enable unintended secret access or data modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The public description frames the skill as a content pipeline, but the documented behavior also includes channel lifecycle management, bot/API inspection, token discovery and persistence, public-page scraping, and connection handling. This mismatch can cause operators to approve or invoke a skill without realizing it can administer channels, discover/store credentials, and perform broader network and filesystem actions than advertised.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The CLI explicitly resolves bot credentials from broad sources outside the skill workspace: a CLI flag, BOT_TOKEN environment variable, and unrelated global openclaw.json locations. In a shared agent/runtime environment, this can cause the tool to silently reuse credentials intended for another project, crossing trust boundaries and enabling unintended access to Telegram resources.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The get-id command allows resolution of any arbitrary Telegram username or chat ID through the bot token, not just channels managed by this workspace. That expands the tool from channel management into general chat enumeration, which can leak metadata about unrelated chats and be abused for reconnaissance using whatever bot credential was resolved.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to schedule an automated publisher that posts content to a Telegram channel, but it does not clearly warn that this action will publish externally without an interactive confirmation step. In a config-driven, reusable channel-management skill, this increases the chance of unintended or misconfigured automated posting, which can cause reputational damage, accidental disclosure, or spam.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The prompt instructs the agent to remove the published entry from content-queue.md, which is a local state-changing action, but it provides no requirement to surface that file modification to the user or obtain confirmation. In an agent setting, silent mutation of local workflow data can cause loss of auditability, accidental deletion of queued content, or unintended state transitions if the agent is triggered automatically.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The prompt directs the agent to send post text to an external Telegram channel via the message tool without any user-facing warning, consent checkpoint, or explicit trust boundary notice. Because this skill is designed for scheduled publishing, the surrounding context increases risk: queued drafts may be transmitted automatically to a public or sensitive channel, causing unintended disclosure, reputational harm, or irreversible publication.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script automatically clones code from GitHub, installs Python dependencies into the system environment, writes configuration under /etc, and then launches the service without any integrity verification, pinning, or user confirmation. In a skill context, this creates supply-chain and system-modification risk: a compromised upstream repo, dependency, or unexpected execution environment could lead to unauthorized code execution or persistent host changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The config command stores the bot token in tgcm/.config.json in plaintext and the list command prints saved values directly, exposing the secret to local users, logs, shell history, or other tooling that captures command output. Since the bot token grants API access, disclosure can let an attacker impersonate the bot and access or manipulate Telegram channel data.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Execution

`python3` and `curl` are available in your environment (declared in `requires.bins`). Run all commands yourself using `exec`/`bash` tool. NEVER ask the user to run commands for you.

## Startup
Confidence
84% confidence
Finding
NEVER ask the user

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal