Skillv0.2.0

ClawScan security

Telegram Stickers · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 6, 2026, 4:55 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it claims (manage/select Telegram stickers) but its runtime artifacts access sensitive local OpenClaw configuration and rely on undeclared binaries/dependencies, and the SKILL.md contains a prompt-injection signal — these inconsistencies merit caution before installing.
Guidance: Before installing or running this skill: 1) Know that import-sticker-pack.sh reads your OpenClaw config (~/.openclaw/openclaw.json) to obtain the Telegram bot token — if you don't want that file accessed, don't run the import script. 2) The metadata does not declare required tools (curl, jq, python3); inspect scripts and ensure you trust them and run them in a sandbox or isolated account. 3) The SKILL.md had a prompt-injection (unicode control chars) signal — review the documentation and files in a safe viewer. 4) If you accept the functionality, prefer to: a) supply the bot token via an explicit environment variable (modify the script) instead of reading ~/.openclaw/openclaw.json, b) audit/limit network access, and c) run the scripts with least privilege and backups of stickers.json. 5) If any of the undeclared behaviors (reading OpenClaw config, requiring jq/python/curl) are unacceptable, ask the author to update the skill manifest to declare required config paths and dependencies or decline installation.
Findings: [unicode-control-chars] unexpected: The SKILL.md contained unicode control characters flagged as a prompt-injection pattern. There is no benign reason evident in the docs for such characters; this could be an attempt to manipulate downstream processing or metadata rendering. Treat the file contents with care and consider opening in a hex-aware viewer.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (collecting, tagging, selecting, and sending Telegram stickers) matches the included scripts. However, it implicitly requires access to a Telegram bot token (it reads ~/.openclaw/openclaw.json) and tools like curl, jq, and python3 — none of which are declared in the registry metadata (required env vars/binaries/config paths). That mismatch is disproportionate to the declared requirements.
Instruction Scope: concernSKILL.md instructs running the included shell and Python scripts which read and modify a local stickers.json and call the Telegram API. The import script directly reads the user's OpenClaw config (~/.openclaw/openclaw.json) to obtain BOT_TOKEN, which accesses a sensitive credential and was not declared. The SKILL.md otherwise stays focused on sticker management and sending via OpenClaw's message tool; it does not explicitly instruct exfiltration. The presence of a 'prompt-injection' pattern (unicode-control-chars) in SKILL.md is also concerning.
Install Mechanism: okThere is no remote install/download step and the package is instruction+script only (no external archives fetched at install time). That minimizes supply-chain installation risk. However, the scripts themselves perform network calls (curl to api.telegram.org) at runtime.
Credentials: concernRegistry metadata lists no required env vars or config paths, yet import-sticker-pack.sh reads ~/.openclaw/openclaw.json to extract the Telegram BOT_TOKEN. The skill therefore accesses sensitive credentials (Telegram bot token) without declaring them or asking for explicit environment variables. It also assumes presence of jq, python3, and curl which are not declared.
Persistence & Privilege: okThe skill is not always-enabled and is user-invocable; it does not request persistent platform-wide privileges or alter other skills. It only writes/reads its own stickers.json. No 'always: true' or other elevated flags are present.