Skillv1.0.0

ClawScan security

OpenClaw Multi-Agent System · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 6, 2026, 11:51 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only guide for configuring multiple Telegram bots with an OpenClaw multi-agent workspace; the steps, file edits, and credential usage align with the stated purpose and there is no hidden installation or unrelated credential request.
Guidance: This guide is coherent and appears to do what it advertises, but take these precautions before proceeding: - Back up ~/.openclaw/openclaw.json (the guide suggests doing so) and validate JSON after edits. A bad config can break your instance. - Treat every Bot Token as a secret: store it securely (not pasted into public chat or a public repository). If a token is leaked, rotate it in BotFather immediately. - Disabling BotFather privacy (/setprivacy → Disable) allows bots to read all group messages — only do this if you understand and accept the privacy implications. - Forwarding a message to @raw_data_bot sends message content to that third party. If you do not trust that bot, obtain the chat ID via your own bot or other admin tooling instead. - Confirm where "MemOS Cloud" stores memory before enabling/shared use: if memory is cloud-hosted, sensitive conversation content may be uploaded off-host. - Test configuration in a private or test group first, and limit bot permissions to the minimum required. - The skill is only guidance (no code runs automatically). Follow the steps manually and verify each change before putting agents into a production group.

Review Dimensions

Purpose & Capability: okThe name/description (multi-agent Telegram group with shared workspace and MemOS memory) matches the instructions: creating ~/.openclaw workspace, adding per-agent dirs, and editing openclaw.json to include multiple bot tokens and bindings. The only credentials the guide needs are Telegram bot tokens and user/group IDs, which are appropriate for this task. The guide assumes a MemOS Cloud plugin is present — that is an environmental assumption but not inconsistent.
Instruction Scope: noteInstructions are limited to local config changes (back up and edit ~/.openclaw/openclaw.json), creating workspace directories and text files, and operational steps for adding bots to the Telegram group. These actions are within scope. Two notes: (1) the guide suggests forwarding a message to @raw_data_bot to obtain chat.id — that sends group message data to a third-party bot and may leak content; (2) it requires disabling BotFather privacy so bots can read all group messages, which is a security/privacy tradeoff the user should consider.
Install Mechanism: okNo install spec or code files are present — this is instruction-only. Nothing is downloaded or written by the skill itself, so there is no installer risk from the skill package.
Credentials: okThe guide does not declare environment variables or request unrelated credentials. It instructs the user to place each Bot Token into openclaw.json (appropriate and proportional). No other secrets or unrelated service keys are requested.
Persistence & Privilege: okSkill flags are default (always: false, agent invocation allowed). The guide instructs edits only to the user's ~/.openclaw configuration and workspace; this is expected for a local configuration guide and does not request elevated or system-wide privileges.