ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Telegram .md File Uploader

v1.0.1

Uploads and sends .md files from your OpenClaw workspace to a specific Telegram chat using the Telegram Bot API. Use when you need to share workspace files (...

0· 127·0 current·0 all-time
byCourtnee J.@courtneejay
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (upload .md to Telegram) matches the code and SKILL.md. However, the registry metadata declares no required environment variables or primary credential while the SKILL.md and code clearly require TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID — an inconsistency that should have been declared in metadata.
Instruction Scope
SKILL.md instructions are narrowly scoped to reading a local .md file and sending it via the Telegram Bot API. The instructions do not request unrelated files, other credentials, or unexpected network endpoints (only api.telegram.org).
Install Mechanism
No install spec (instruction-only) — low install risk. The code imports the 'requests' library, but no install guidance or dependency declaration is present; the runtime must already have requests installed. This is an operational mismatch but not inherently malicious.
!
Credentials
Only two environment variables (bot token and chat id) are needed and are proportional to the task. The concern is that these required secrets are not declared in the skill's metadata (required.env / primary credential), which reduces transparency and increases risk if users assume no secrets are needed.
Persistence & Privilege
Skill does not request persistent/always-on privileges, does not modify other skills or system settings, and does not try to store tokens itself. Default autonomy is allowed but not combined with other high privileges.
What to consider before installing
This skill's behavior is consistent with its name: it reads a local .md file and sends it to a Telegram chat using the bot token and chat id. Before installing: 1) Confirm you trust the skill's author (source is unknown). 2) Expect to provide TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID — the registry metadata did not list these, so don't assume no secrets are needed. 3) Review the included upload.py yourself (or run it in an isolated environment) — it posts only to api.telegram.org but you should verify no additional endpoints are present. 4) Ensure the Python 'requests' package is available or add it to your environment. 5) If you supply a bot token, limit the bot's permissions and consider rotating the token if anything unexpected happens.

Like a lobster shell, security has layers — review code before you run it.

latestvk976ch836r7ftdeezk7byn1fmd8322j2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments