Skillv0.1.1

ClawScan security

Telegram File Browser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 10:18 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requested access are consistent with a Telegram inline-button file browser that reads a local workspace and produces message-tool payloads; there are no unexplained network calls or unrelated credentials requested.
Guidance: This skill appears to do exactly what it says: run local Python scripts to present a Telegram-style inline-button file browser rooted in your workspace. Before installing or enabling it for autonomous use, consider: 1) Review the included scripts yourself (they are bundled and readable) to confirm no sensitive paths outside your intended root will be accessed. 2) If you want to limit exposure, change the default root from ~/.openclaw/workspace to a restricted directory or require an explicit root argument. 3) Confirm the agent's message tool behavior and access policy (who can receive sent files). 4) If you do not want the agent to be able to send files automatically, restrict autonomous invocation or require user confirmation before sending attachments. 5) Run the skill in a sandboxed environment if you are concerned about exposing local data. Overall the code contains reasonable path checks and payload validation, and there are no unexplained network endpoints or secret requirements.

Review Dimensions

Purpose & Capability: okThe name/description (Telegram inline-button file browser) matches the included scripts: listing directories, building button layouts, validating callbacks, previewing files, and returning send/send-file plans. The default root (~/.openclaw/workspace) and state path are consistent with a local workspace browser. No unrelated environment variables, binaries, or config paths are requested.
Instruction Scope: noteSKILL.md explicitly instructs the agent to run the included Python scripts via the exec tool and to pass the returned message-tool payloads unchanged to the message tool. The scripts legitimately read the local filesystem (list, preview, and send files) and persist state under the runtime state path. This is in-scope for a file browser, but note the agent will execute project code and read files under the configured workspace; the skill's behavior is not limited to describing UI flows but to actually reading file contents and returning them (or paths) to the messaging tool.
Install Mechanism: okThere is no install spec (instruction-only skill with bundled scripts). Nothing is downloaded from the network or installed automatically. The scripts live in the skill bundle and are executed via exec; that is the lowest-risk install mechanism in this model.
Credentials: okThe skill declares no required env vars, credentials, or external service keys. All file and config access is to paths under the user's home/workspace, which is proportional to a local file-browser capability. The code also contains path checks (is_within_root) and validation preventing raw paths in callback_data, which reduces accidental leakage via callbacks.
Persistence & Privilege: notealways is false and the skill does not request system-wide privileges. It persists state under ~/.openclaw/workspace/.openclaw/telegram-file-browser/state.json and may update that file (expected). One caution: because the skill can read and send files from the workspace (including previews and attachments), an autonomously-invoking agent with permission to call the message tool could exfiltrate workspace files—this is coherent with its purpose but is a potential data-exposure vector you should consider.