Skillv1.0.11

ClawScan security

Telegram Footer Patch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 12:43 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (modifies OpenClaw dist JS bundles to append a Telegram footer) but it writes into installed application bundles and reads local session data—actions that are high-privilege and sensitive and that the package metadata does not fully declare, so review before running.
Guidance: This package appears to do exactly what it says: edit OpenClaw's dist JS bundles to append a Telegram footer. However, before running it you should: (1) Inspect the scripts locally (they are included) and confirm you accept that they will write into your OpenClaw installation; (2) Run the provided dry-run (--dry-run --list-targets) to see which files would be touched; (3) Run the smoke test in a staging container or VM, confirm backups (*.bak.telegram-footer.*) are created, and test revert; (4) Be aware the patch reads ~/.openclaw/.../sessions/sessions.json to populate the footer (this reads local session state and token counts — sensitive data); (5) Ensure node and python3 are installed and that the metadata's omission of those requirements is acceptable; (6) Only run on systems you control, and require a true process restart and an actual Telegram private-chat test to validate success. If you are uncomfortable with any of these points, do not run the patch on production systems.

Review Dimensions

Purpose & Capability: noteThe name/description (append Telegram footer) aligns with the included scripts: patch_reply_footer.py injects marker-wrapped JS snippets and revert/smoke-test scripts perform verification and rollback. However the registry metadata declares no required binaries/env but the SKILL.md and scripts require python3 and node for execution and node --check syntax validation — that mismatch is worth noting.
Instruction Scope: concernThe runtime instructions and scripts will scan and write files under the OpenClaw dist directory (default /usr/lib/node_modules/openclaw/dist) and may modify multiple bundle files. The delivery helper code reads a local session store (~/.openclaw/agents/main/sessions/sessions.json) to surface provider/model/tokens for the footer; reading that file is sensitive and was not prominent in the top-level metadata. The scripts do not contact external endpoints, but they have the ability to change shipped JS bundles which affects process behavior beyond the skill itself.
Install Mechanism: noteThere is no install spec (instruction-only) — lowest installer risk — but the package includes Python scripts that will write into system-installed JS bundles when run. No remote downloads or archive extraction are used. The lack of an explicit 'requires: node/python' declaration in the registry metadata is a documentation mismatch.
Credentials: noteThe skill does not request secrets or external credentials, which is consistent with its purpose. It does access process.env.HOME (to locate sessions.json) and file system paths under the user's home and the OpenClaw install dir; this is proportionate to producing the footer content but is still sensitive because it reads local session state (provider, model, tokens).
Persistence & Privilege: concernThe skill modifies application bundle files and requires write access to the OpenClaw dist directory. It is not marked always:true, and it does not autonomously persist itself into agent configuration, but modifying installed bundles is high privilege and can affect behavior of the whole application. The skill includes backup and revert tooling, which mitigates risk, but running it requires care (staging, permissions, true restart, testing).