ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Telegram

v1.0.0

Telegram integration. Manage data, records, and automate workflows. Use when the user wants to interact with Telegram data.

0· 78·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to integrate with Telegram and all instructions center on using the Membrane CLI to discover connectors, create connections, run actions, and proxy requests to Telegram. It does not request unrelated cloud credentials, system files, or permissions. Requiring network access and a Membrane account is consistent with the described functionality.
Instruction Scope
SKILL.md confines runtime actions to installing and running @membranehq/cli commands (login, connect, action list/run, request proxy). It does not instruct reading arbitrary local files, environment variables, or transmitting data to unknown third parties; it explicitly recommends letting Membrane handle credentials.
Install Mechanism
There is no formal install spec in the registry (instruction-only). The doc recommends installing @membranehq/cli via npm -g or using npx. Using a public npm package is reasonable, but global npm installs carry standard supply-chain/trust risks—verify the package name, publisher, and repository, or use npx and pinned versions to reduce risk.
Credentials
The skill declares no required environment variables or secrets and explicitly advises not to ask users for Telegram API keys. Credential handling is delegated to Membrane (server-side), which is proportionate for this integration.
Persistence & Privilege
The skill is not forced-always (always:false) and is user-invocable. disable-model-invocation is false (normal), meaning the agent may call the skill autonomously per platform defaults; there are no requests to modify other skills or system-wide settings.
Assessment
This skill is an instruction-only wrapper that tells the agent to use the Membrane CLI to access Telegram. Before installing: (1) verify you trust Membrane and review its privacy/terms because Telegram credentials and data will be proxied through their service; (2) confirm the npm package (@membranehq/cli) and GitHub repository are legitimate—prefer npx or pin the package version rather than doing a global npm -g install; (3) note the skill needs network access and a Membrane account (browser-based login may be required, or a headless flow); (4) the skill does not request local secrets or access to other skills, but the agent may call it autonomously under normal platform behavior—disable or restrict autonomous invocation in your agent settings if you want tighter control.

Like a lobster shell, security has layers — review code before you run it.

latestvk979cwzh6marhq110xttj66nq184a46d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments