MAC OS screenshot to telegram
PassAudited by ClawScan on May 10, 2026.
Overview
The skill does what it says—captures the macOS screen and sends it to Telegram—but users should treat it as sensitive because it uses a bot token and can expose anything visible on screen.
Install only if you intentionally want OpenClaw to capture your macOS screen and send it to Telegram. Before using it, confirm the chat ID and profile, make sure nothing sensitive is visible, protect the Telegram bot token, and remove the saved workspace screenshot if needed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken invocation or wrong chat ID could send the screenshot outside the local machine.
The skill intentionally uses direct shell/API commands to send media instead of a higher-level OpenClaw message tool. This is disclosed and purpose-aligned, but users should recognize it as a direct external upload path.
Always use curl with Telegram Bot API directly for reliable media delivery
Only run it after confirming the intended Telegram chat ID and that the current screen is safe to share.
Anyone who can use the token can act through that Telegram bot, including sending messages or photos permitted by the bot.
The script reads a Telegram bot token from the user's OpenClaw profile configuration, which is expected for this integration but is still account credential use.
CONFIG_PATH="$HOME/.openclaw-${PROFILE}/openclaw.json"
BOT_TOKEN=$(grep botToken "$CONFIG_PATH" 2>/dev/null | sed 's/.*"botToken": *"\([^"]*\)".*/\1/')Store the bot token carefully, use a dedicated low-privilege bot, and rotate the token if it may have been exposed.
Private messages, documents, browser tabs, or credentials visible on screen could be included in the uploaded screenshot.
The script captures the full screen, stores it locally, and uploads it to Telegram using the supplied chat ID. This is the core purpose, but it moves potentially sensitive visual data to an external provider.
/usr/sbin/screencapture -x "${WORKSPACE}/screen.png"
RESPONSE=$(curl -s -X POST "https://api.telegram.org/bot${BOT_TOKEN}/sendPhoto" \
-F "chat_id=${CHAT_ID}" \
-F "photo=@${WORKSPACE}/screen.png")Check the screen before capture, verify the destination chat, and delete the workspace screenshot afterward if it contains sensitive information.