ClawHub

Telegram MTPROTO CLI

v0.1.4

Read-only Telegram CLI via MTProto. Lists chats, fetches messages, downloads media, manages local accounts/sessions. Does not send messages or modify Telegra...

0· 534·0 current·0 all-time
by@cyberash-dev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required credentials (api_id/api_hash, phone/OTP), and runtime filesystem/network access (session files, media downloads, outbound TCP to Telegram DCs) all align with a read-only MTProto CLI. No unrelated credentials, binaries, or paths are requested.
Instruction Scope
SKILL.md instructs only how to install and use the 'tg' CLI and how to authenticate interactively. It does not ask the agent to read unrelated files, exfiltrate data to third parties, or perform write operations on Telegram. It explicitly warns about sensitive session files and not logging credentials.
Install Mechanism
Install is an npm global package (npm install -g tg-mtproto-cli) with a GitHub repo listed — this is expected for a CLI published on npm but is a moderate-risk install vector because npm package installs run third-party code. No arbitrary URL downloads or extract steps are present.
Credentials
Requested credentials are limited to Telegram API credentials and phone/OTP (interactive). Storage in system keychain and session files is appropriate for the stated functionality. No unrelated environment variables or secrets are requested.
Persistence & Privilege
Skill is instruction-only and not always:true; it does not request persistent system-wide privileges or modify other skills. The default platform ability for agents to invoke skills autonomously remains in place, which is normal and not a concern given the other checks.
Assessment
This skill appears to do what it says: it uses an npm-published CLI for read-only access to Telegram via MTProto. Before installing, verify the npm package and GitHub repo (maintainer reputation, recent commits, issues), be aware that 'npm install -g' runs third-party code, and only enter your Telegram api_id/api_hash and phone OTP interactively when you trust the environment. Protect the session files (~/.tg-mtproto-cli/sessions/) and the system keychain entries; consider using an account with limited access if you want to reduce risk. If you are uncomfortable installing global npm packages or allowing the agent to run installed CLIs autonomously, do not install or restrict agent invocation.

Like a lobster shell, security has layers — review code before you run it.

latestvk970tdk5c20pmq65y7zf21yg4h81pghb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments