MAC OS screenshot to telegram
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken invocation or wrong chat ID could send the screenshot outside the local machine.
The skill intentionally uses direct shell/API commands to send media instead of a higher-level OpenClaw message tool. This is disclosed and purpose-aligned, but users should recognize it as a direct external upload path.
Always use curl with Telegram Bot API directly for reliable media delivery
Only run it after confirming the intended Telegram chat ID and that the current screen is safe to share.
Anyone who can use the token can act through that Telegram bot, including sending messages or photos permitted by the bot.
The script reads a Telegram bot token from the user's OpenClaw profile configuration, which is expected for this integration but is still account credential use.
CONFIG_PATH="$HOME/.openclaw-${PROFILE}/openclaw.json"
BOT_TOKEN=$(grep botToken "$CONFIG_PATH" 2>/dev/null | sed 's/.*"botToken": *"\([^"]*\)".*/\1/')Store the bot token carefully, use a dedicated low-privilege bot, and rotate the token if it may have been exposed.
Private messages, documents, browser tabs, or credentials visible on screen could be included in the uploaded screenshot.
The script captures the full screen, stores it locally, and uploads it to Telegram using the supplied chat ID. This is the core purpose, but it moves potentially sensitive visual data to an external provider.
/usr/sbin/screencapture -x "${WORKSPACE}/screen.png"
RESPONSE=$(curl -s -X POST "https://api.telegram.org/bot${BOT_TOKEN}/sendPhoto" \
-F "chat_id=${CHAT_ID}" \
-F "photo=@${WORKSPACE}/screen.png")Check the screen before capture, verify the destination chat, and delete the workspace screenshot afterward if it contains sensitive information.