ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Telegram Footer Patch

v1.0.9

Add a Telegram private-chat footer (`🧠 Model + 💭 Think + 📊 Context`) to OpenClaw replies, with dry-run preview, backup, syntax validation, rollback, and r...

5· 517·3 current·3 all-time
byJoey-Chen@c-joey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description say 'patch OpenClaw dist JS files to append Telegram footer'. The repository contains patch, revert, and smoke-test scripts that operate on OpenClaw 'dist' bundles and perform backups/syntax checks. Requiring Node.js and Python 3 (documented) is proportionate to this task.
Instruction Scope
SKILL.md instructs the agent to run the included scripts, use --dry-run, restart the gateway, and perform live Telegram acceptance testing. Those instructions are scoped to the stated purpose. It explicitly tells users it will write into the OpenClaw installation directory and to test rollback. No instructions ask the agent to collect unrelated system secrets or exfiltrate data. Note: the provided code listing for patch_reply_footer.py is truncated in the artifact, so the final error handling / write path at the end could not be reviewed in full.
Install Mechanism
No install spec; this is instruction+script bundle that runs locally. No remote downloads or package installs are described. That is expected for a local patch utility and is lower-risk than arbitrary remote installs.
Credentials
The skill requests no environment variables, credentials, or config paths. It requires Node and Python on PATH (documented) and local filesystem write access to the OpenClaw dist directory — which is necessary and proportional for modifying those files.
Persistence & Privilege
Skill is not always:true and does not request persistent elevated privileges in metadata. It modifies files inside OpenClaw's installation when run (documented). Autonomous invocation is allowed (platform default) but that alone is not a concern here— the actual runtime actions are local file edits and require user execution/permission.
Assessment
This package appears to do what it says: locally patch OpenClaw dist JS bundles to append a Telegram private-chat footer, create backups, verify syntax with node --check, and provide a revert. Before installing or running: 1) Inspect the included scripts yourself (patch_reply_footer.py, revert_reply_footer.py, smoke_test_footer_patch.sh). 2) Run python3 scripts/patch_reply_footer.py --dry-run --list-targets to preview changes. 3) Run the entire flow in a staging instance or container (do not run directly on a production control plane). 4) Verify backups (*.bak.telegram-footer.*) exist and test revert (python3 scripts/revert_reply_footer.py --dry-run then without --dry-run). 5) Restart OpenClaw gateway in staging and perform a real Telegram private-chat test to confirm the footer appears. Extra caution: the patch script printed in the submission is truncated near the end — that prevented a complete source review and reduces confidence. If you obtain the full package, re-check the end-of-file behavior for any unexpected commands, subprocess calls, or error messages before running on sensitive systems.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ad3fefr9j1pqj53sefr9qxh83g4vy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments