Telegram Channel Reader
ReviewAudited by ClawScan on May 16, 2026.
Overview
This is a purpose-aligned Telegram reader, but it relies on your personal Telegram API credentials and session file, so those must be protected carefully.
Before installing, make sure you are comfortable giving the agent access to Telegram channels available to your account. Store the API hash and session file securely, use a virtual environment for the Python dependencies, and only grant persistent command approval if you trust the agent to run this reader on relevant requests.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API hash or session file is stolen, someone could access the Telegram account session, including private channels available to that account.
The skill uses personal Telegram API credentials and a persistent Telegram session, which is high-impact account access, but it is directly tied to the Telegram-reading purpose and is disclosed.
This skill requires `TG_API_ID` and `TG_API_HASH` ... The session file grants full Telegram account access — store it securely and never share it.
Use a dedicated or low-risk Telegram account if possible, keep `~/.tg-reader.json` and `*.session` files private with restrictive permissions, and revoke/recreate credentials if exposed.
After always-allow approval, the agent can fetch Telegram channel data through this CLI when it considers the skill relevant.
The documentation asks the user to approve the local CLI so the agent can invoke it. This is expected for the skill, but persistent approval expands what the agent can run without repeated confirmation.
openclaw approvals allowlist add --gateway "$(which tg-reader)"
Approve only the expected `tg-reader` binaries, consider `allow-once` for sensitive use, and review which channels the agent is asked to read.
Installing or uninstalling packages in a shared/global Python environment could affect other tools or inherit risk from external packages.
Setup relies on user-run package installation and changes to the local Python environment. This is normal for a Python Telegram client skill, but it carries ordinary package/provenance risk.
pip uninstall pyrogram -y 2>/dev/null pip install pyrofork tgcrypto telethon pip install -e .
Install in a virtual environment, review the setup script before running it, and avoid running setup commands with unnecessary privileges.
The state file can reveal which channels are tracked and, if corrupted or edited, could cause the agent to miss posts or re-read old ones.
The skill persists per-channel read state so future runs can skip already-seen posts. This is purpose-aligned, but it is persistent local state that affects future outputs.
Tracks which posts have already been fetched so subsequent runs return only new (unread) posts.
Use `--all` when you need a fresh fetch, keep the state file private, and delete or reset `~/.tg-reader-state.json` if results seem incomplete.