ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

处理Telegram配对码的机器人服务 | Telegram Pairing Code Approver

创建一个持久运行的Telegram机器人服务,用于自动处理配对代码并批准Telegram会话权限。使用时提供机器人令牌,自动创建机器人脚本和服务文件,并启动系统服务。适用于需要自动处理Telegram配对请求的场景。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 1.7k · 2 current installs · 2 all-time installs
by@crazypeace
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (auto-approving Telegram pairing codes) matches the included code: the bot parses messages and runs `openclaw pairing approve telegram <code>`. However the skill does not declare that it needs node, npm, systemctl, or the openclaw CLI; nor does it declare that the deploy step will install npm packages and write files under /etc. Those runtime dependencies and actions are expected for a systemd-based service but are not reflected in the declared requirements.
!
Instruction Scope
SKILL.md and the deploy script instruct the agent to create files, run `npm install`, write a systemd unit, reload systemd, enable and start a service, and store the bot token inside a generated JS file. The bot also logs entire incoming messages and executes shell commands (via child_process.exec) in response to messages. Instructions read/write system configuration (/etc/systemd/system) and run privileged commands without documenting required privileges or limiting which Telegram users may trigger approvals.
Install Mechanism
There is no formal install spec, but deploy.js runs `npm install` at runtime to fetch dependencies (telegraf). This is a network fetch from the npm registry and will write node_modules to disk. The code will therefore pull third-party code at deploy time even though the skill metadata lists no install step or dependencies.
!
Credentials
The skill declares no required credentials, yet the deploy script requires the BOT_TOKEN passed on the command line and writes it in plaintext into a generated file. Required binaries (node, npm, systemctl, openclaw) are not declared. The token may be written with default filesystem permissions (potentially world-readable depending on umask). The openclaw CLI is invoked without verification — if an attacker can control messages, they can cause shell commands to run.
!
Persistence & Privilege
The deploy script writes a system-wide systemd unit at /etc/systemd/system and sets User=root for the service, then enables and starts it. This grants persistent, root-level service presence and modifies system configuration without elevating or documenting required privileges. Running a network-facing bot as root increases blast radius if the bot or its dependencies are compromised.
What to consider before installing
Before installing, consider the following: (1) This deploy script requires node/npm, systemd, and the openclaw CLI but the skill metadata doesn't declare them — ensure those binaries and the openclaw tool are trustworthy. (2) The deploy will run `npm install` (network fetch) and write the provided bot token into a generated JS file; avoid passing tokens you don't trust to be stored in plaintext. (3) The service is created to run as root and modifies /etc/systemd/system — prefer creating a dedicated, unprivileged user and change User= in the unit file. (4) The bot executes shell commands based on incoming messages; restrict who can send pairing codes (validate chat/user IDs or require admin approval) to prevent unauthorized approvals. (5) If you still want to use it, review and possibly modify the generated simple_telegram_bot.js to remove broad logging of message contents, add sender whitelisting, and run `npm install` manually in a controlled environment. If you do not control the deployment host or do not fully trust the openclaw CLI or npm dependencies, do not install it.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk97fkpw148xwzzq6j17qnp2tt580g08t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Telegram 配对代码自动批准机器人服务

快速开始

使用预构建的部署脚本快速创建服务:

node scripts/deploy.js <YOUR_BOT_TOKEN>

例如:

node scripts/deploy.js 9632389037:ADG3jTndsXpgdOrdJkfaV80nnsjhQyWEhbT

功能

  • 自动识别三种配对代码格式:
    • NDW4JDJ4 (纯代码格式)
    • code: NDW4JDJ4 (带code:前缀)
    • Pairing code: NDW4JDJ4 (带Pairing code:前缀)
  • 自动执行 openclaw pairing approve telegram <code> 命令
  • 发送友好的提示信息给用户
  • 作为系统服务运行,具备自动重启功能

脚本说明

部署脚本 (scripts/deploy.js)

  • 创建机器人脚本,自动注入提供的令牌
  • 生成systemd服务文件
  • 注册并启动系统服务
  • 配置自动重启机制

服务管理

查看服务状态:

systemctl status telegram-pairing-bot.service

停止服务:

systemctl stop telegram-pairing-bot.service

重启服务:

systemctl restart telegram-pairing-bot.service

检查服务是否启用开机自启:

systemctl is-enabled telegram-pairing-bot.service

优势

  • 高可用性:作为系统服务运行,具备自动重启能力
  • 自动化:无需人工干预即可处理配对请求
  • 用户友好:提供清晰的使用说明
  • 可靠性:防止意外中断影响服务
  • 易于部署:单命令完成完整部署

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…