Skillv1.0.1

ClawScan security

Persona Consent Telegram (Hub) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 4, 2026, 10:35 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions are coherent with its stated purpose (Telegram owner approval gate for sharing a local persona and optional persona-service integration), but package metadata understates the sensitive environment variables the scripts actually require—review configuration and tokens before installing.
Guidance: This skill appears to do what it says: it sends an approval request via a Telegram bot and only returns the persona file when you approve. Before installing, verify and do the following: 1) You must set TELEGRAM_BOT_TOKEN and TELEGRAM_OWNER_CHAT_ID (use a separate approval bot token as recommended), and set PERSONA_PATH and ALLOWED_PERSONA_PATH to the exact persona file you intend to allow; the registry metadata omits these—do not assume none are required. 2) If you enable persona-service mode, PERSONA_SERVICE_URL and PERSONA_CLIENT_ID (and optional shared secret) will cause the local persona-client to poll an external service and POST persona content after approval—ensure the service URL is trusted. 3) Inspect and understand scripts/request_persona.sh and scripts/persona_client.sh (they are small and included) and confirm TELEGRAM_API_BASE and PERSONA_SERVICE_URL are not set to untrusted hosts. 4) Prefer running the persona-client in the foreground for initial testing so you can observe behavior and logs; consider not using the wrapper until you trust its behavior. 5) Keep bot tokens private and rotate them if you publish any logs/screenshots. If you want stronger assurance, run the scripts in a restricted account or sandbox and review openclaw.json contents before the wrapper is allowed to read it.

Review Dimensions

Purpose & Capability: noteThe skill implements a Telegram approval flow and an optional persona-service client; the included scripts (bash + python + curl) match that purpose. However the registry metadata declares no required env vars while the README and scripts require TELEGRAM_BOT_TOKEN, TELEGRAM_OWNER_CHAT_ID, PERSONA_PATH, ALLOWED_PERSONA_PATH and (for persona-service) PERSONA_SERVICE_URL and PERSONA_CLIENT_ID. That metadata omission is an inconsistency that could mislead users about required secrets.
Instruction Scope: okThe SKILL.md and scripts strictly perform the approval flow: send a Telegram approval message to the configured owner bot, poll Telegram getUpdates, and—if approved—read the persona file and return/post it. Scripts validate that PERSONA_PATH equals ALLOWED_PERSONA_PATH and reject otherwise. They do not attempt broad file-system access beyond the persona file, the offset state file, or read-only openclaw.json (used to load configured env).
Install Mechanism: okThere is no network download or installer; the skill is instruction-only with included scripts and JS/TS source. No external archives or remote installers are used. The wrapper and persona client are local scripts that may be run by the user.
Credentials: noteThe runtime needs sensitive credentials (Telegram bot token and owner chat id) and persona paths, and optionally persona-service credentials and shared secret. Those are proportionate to the feature, but the registry entry incorrectly reports 'no required env vars', creating an information gap. Also several env overrides (TELEGRAM_API_BASE, PERSONA_SERVICE_URL) control external endpoints—misconfiguration could direct data to unintended hosts, so verify those values.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills. It may spawn a detached persona_client.sh (wrapper or lifecycle hook) which runs in background and polls the persona-service; this is expected for the optional persona-service mode. The wrapper reads ~/.openclaw/openclaw.json to obtain the skill's env (necessary to get the tokens).