Telegram Stickers
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
This skill appears safe for its intended purpose if you want your agent to manage and send Telegram stickers. Before installing, make sure you are comfortable with it using your configured Telegram bot token to import packs, sending stickers in chats, and keeping a local stickers.json usage history. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may send stickers into Telegram chats when it decides the conversation context fits.
The skill explicitly instructs the agent to send Telegram stickers through OpenClaw's message tool. This is the core purpose of the skill, but it is still user-visible account activity.
message(action='sticker', target='<chat_id>', stickerId=['<file_id>'])
Enable this only if you want the agent to send stickers automatically under the documented frequency and context rules.
Running the import script uses the Telegram bot identity configured in OpenClaw.
The script reads the local OpenClaw Telegram bot token so it can call Telegram's getStickerSet API. This is purpose-aligned, but the registry metadata declares no primary credential or required config path.
BOT_TOKEN=$(jq -r '.channels.telegram.botToken' ~/.openclaw/openclaw.json)
Use this only with a Telegram bot configuration you trust, and consider declaring the config path and jq/curl dependencies in the skill metadata.
The skill may fail or behave unexpectedly if those tools or the expected stickers.json file are not present.
The registry says no required binaries are needed, but the included scripts require external tools such as curl, jq, and python3. This is a metadata/package completeness issue, not hidden behavior.
RESPONSE=$(curl -s "https://api.telegram.org/bot$BOT_TOKEN/getStickerSet?name=$PACK_NAME")
Before using it, confirm jq, curl, python3, and a valid stickers.json file are available.
Sticker usage history and brief conversation context may remain stored locally between sessions.
The documented stickers.json format persists usage history and a free-text conversation context. This supports analytics but may retain snippets about user interactions.
"usage_log": [{ "file_id": "...", "sent_at": "2026-03-07T00:24:00Z", "context": "User saying goodnight", "message_id": "2599" }]Keep usage context minimal and periodically review or delete stickers.json if you do not want sticker history retained.