ClawHub

tg buttons

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Telegram bot button-styling helper, with expected Telegram API use and no evidence of hidden or malicious behavior.

Install only if you intend to build or test Telegram bot buttons. Use a test bot token where possible, keep BOT_TOKEN private, run the setup script in a fresh directory because it can overwrite scaffold files there, and consider pinning Python dependency versions before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script accepts a Telegram bot token from argv or environment and immediately uses it to send data to an external service, with no warning, validation, or guidance on secure handling. In agent/skill contexts, this can lead to unintentional credential exposure or unauthorized outbound actions if users provide sensitive tokens without understanding the network implications.

External Transmission

Medium
Category
Data Exfiltration
Content
echo "  [Skip]          → secondary (gray)  — low-priority escape"
echo ""

RESPONSE=$(curl -s -X POST "$API_URL" \
  -H "Content-Type: application/json" \
  -d '{
    "chat_id": "'"${CHAT_ID}"'",
Confidence
89% confidence
Finding
curl -s -X POST "$API_URL" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
exit 1
fi

API_URL="https://api.telegram.org/bot${BOT_TOKEN}/sendMessage"

echo "==> Sending auto-colored choice buttons to chat ${CHAT_ID}..."
echo ""
Confidence
84% confidence
Finding
https://api.telegram.org/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal