Telegram Ops

Security checks across malware telemetry and agentic risk

Overview

This skill performs legitimate Telegram forum management, but it also gives agents persistent OpenClaw configuration authority and leaves new Telegram topics with all skills enabled by default.

Install only if you are comfortable letting the agent manage Telegram forum topics and edit OpenClaw Telegram configuration. Use a minimally privileged bot token, keep the token out of logs and chat transcripts, review every config.patch payload before applying it, and add an explicit skills allowlist for each topic instead of relying on the default all-skills behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill clearly relies on shell execution (`curl`, `gateway`, scripts, file redirection) but declares no permissions or safeguards. This creates a capability/expectation mismatch that can cause downstream systems or users to invoke shell-capable actions without explicit review, increasing the chance of unintended command execution or unsafe automation.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The instruction to omit a `skills` key so that all skills are available broadens agent capabilities by default well beyond the stated Telegram forum-management purpose. In context, creating a new topic also provisions an agent context, so defaulting to unrestricted skills can expose unrelated high-risk abilities in a newly created Telegram topic without clear necessity.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill is described as Telegram Bot API forum management, but its instructions also direct users to modify OpenClaw configuration, assign system prompts, and manage session lifecycle. That scope expansion increases security risk because it couples a messaging operation with persistent agent configuration changes that can alter behavior beyond simple forum administration.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation instructs retrieval and subsequent use of a Telegram bot token directly from config, but provides no warning that this is a sensitive secret or that it must not be logged, echoed, or persisted in transcripts. Because the same file also demonstrates shell commands and external API calls, there is a concrete risk of accidental credential disclosure in command history, logs, screenshots, or agent outputs.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill documents deleting session state and transcripts without a warning about irreversibility, backup validation, or confirmation. In context, these sessions are tied to Telegram topics and may contain operational history, so accidental deletion can cause data loss, audit gaps, and loss of context for future investigations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal