Telegram Bot API
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent, instruction-only Telegram Bot API guide, but it involves bot tokens and real bot actions, so users should protect tokens and confirm impactful operations.
This skill appears safe to install if you are building Telegram bots. Before using it, decide whether you want the agent to save your bot token locally, use a test bot/chat for experiments, and confirm any action that posts publicly, deletes content, bans users, or changes webhook settings.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the saved bot token could send messages or manage the bot within its permissions.
A Telegram bot token is a credential that can control the bot; saving it locally is disclosed and permission-based, but users should treat it as sensitive.
If they share a token: 1. Ask permission: "Want me to save this token locally so I can help you test?" 2. If yes, save to `~/telegram-bot-api/bots/{botname}.md`Save tokens only for bots you intend the agent to help manage, keep the local files private, and revoke/regenerate the token if it is exposed.
If used with a privileged bot token, commands can affect real chats, messages, and members.
The API reference includes high-impact bot actions such as moderation and deletion; these are expected for a Telegram Bot API skill but should remain user-directed.
### banChatMember
curl -X POST "https://api.telegram.org/bot${TOKEN}/banChatMember" ...
### deleteMessage
curl -X POST "https://api.telegram.org/bot${TOKEN}/deleteMessage"Use test chats first and require explicit confirmation before sending public messages, deleting content, banning users, or changing webhook state.
Stored bot configuration may persist beyond the current conversation and could be reused later by the agent or exposed if local files are readable.
The skill defines persistent local memory that can include bot tokens and defaults reused across future tasks.
Create `~/telegram-bot-api/bots/{botname}.md`:
...
token: {BOT_TOKEN}Review the memory files periodically, remove stale tokens, and restrict file access on shared machines.
The token could appear in webhook configuration, server logs, or shared URLs if this pattern is used.
One webhook example places the bot token in the webhook URL path; this can undermine the token-protection guidance if that URL is copied or logged.
-d "url=https://example.com/webhook/${TOKEN}"Prefer the later `secret_token` webhook pattern and avoid embedding the bot token itself in public or logged URLs.