Telegram
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a documentation-only Telegram Bot API guide; it requires care with bot tokens and live API actions, but the artifacts are coherent and purpose-aligned.
Before installing or using this skill, be prepared to handle the Telegram bot token securely and review any generated HTTPS requests that would send messages, delete messages, or set webhooks. The provided artifacts do not show hidden code, automatic execution, or deceptive behavior.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the bot token may be able to control the Telegram bot through the Bot API.
A Telegram bot token is delegated authority for the bot. This is expected for Bot API work, but users should treat it as a secret because it can allow bot actions if exposed.
- Bot token and base API URL.
Store the bot token in a secrets manager or environment variable, never paste it into logs or shared chats, and rotate it if it is exposed.
If the user or agent turns these templates into live HTTPS calls, the bot may post, edit, delete content, or change its webhook settings.
These documented API methods can send, edit, delete messages, or change webhook configuration. They are purpose-aligned for a Telegram bot guide, but they are live mutation capabilities when used with a real token.
- `getMe`, `getUpdates`, `setWebhook` - `sendMessage`, `editMessageText`, `deleteMessage`
Review live requests before sending them, test with a non-production bot or chat first, and use explicit approval for message deletion or webhook changes.