telegram-voice-mode
WarnAudited by ClawScan on May 18, 2026.
Overview
This appears to be a voice-reply tool, but its Telegram send script can default to sending voice messages to a hard-coded Telegram ID instead of clearly using the current chat.
Review this skill before installing. If you use it, remove or replace the hard-coded Telegram ID, require explicit recipient selection from the current chat, and confirm that the separate edge-tts helper and OpenClaw messaging command are trusted.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the script is run without an explicit Telegram ID, voice content may be sent to an unintended external recipient.
The skill is presented as sending voice replies to the current channel, but the send script contains a personal hard-coded default Telegram target that is not clearly disclosed as the default behavior.
const DEFAULT_TARGET = '5500262186'; // 坚果爸爸的 Telegram ID
Remove the hard-coded recipient, require an explicit current conversation target, and show a clear confirmation before sending.
A voice reply can be sent through the messaging tool to a fixed Telegram account without clear per-send recipient control.
The script builds an OpenClaw message-send command and falls back to the hard-coded target when the user does not supply one.
const target = args[1] || DEFAULT_TARGET; ... 'message', 'send', '--channel', channel, '--target', target, '--media', mediaPath
Require the caller to provide the recipient/channel from the active conversation and avoid defaults for external message sends.
The skill can use the user's messaging privileges to contact an external Telegram ID that the user may not have chosen.
The code uses the user's OpenClaw messaging integration to send Telegram media, but the default recipient is not tied to the current user or conversation.
const DEFAULT_CHANNEL = 'telegram'; ... const proc = spawn('openclaw', args, { stdio: 'pipe' });Bind sends to the authenticated current chat context, declare the required messaging authority, and require explicit user approval for any external target.
Private reply content converted to audio could leave the current conversation boundary and be delivered to the wrong Telegram recipient.
Generated audio is sent through an external messaging provider path, and the destination can be the hard-coded default Telegram target.
'--channel', channel, '--target', target, '--media', mediaPath
Make the communication boundary explicit, pass only user-selected recipients, and avoid automatic external sends without confirmation.
The skill may fail unless that other skill exists, and users must trust the separate edge-tts code that will be executed.
The skill relies on another local edge-tts skill script that is not included in this artifact set or declared in the install requirements.
const edgeTtsDir = path.join(os.homedir(), '.openclaw/workspace/skills/edge-tts/scripts'); const ttsScript = path.join(edgeTtsDir, 'tts-converter.js');
Declare the edge-tts dependency clearly, pin or verify it where possible, and review that helper before enabling this skill.
Installing the skill means its scripts can run local Node/OpenClaw commands when invoked.
The skill launches local commands to generate speech. This is expected for the TTS purpose, but it is still a meaningful local execution capability.
const process = spawn('node', args, { cwd: edgeTtsDir, stdio: 'pipe' });Use only after confirming the helper scripts and local OpenClaw command behavior are trusted and scoped.