Telegram Bot Builder
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used to build a real bot, the user may be granting the bot power to interact with chats, groups, or payments.
Bot setup, group management, and payment features commonly require delegated Telegram bot authority, group permissions, or payment configuration, even though this artifact does not directly request credentials.
- 🤖 Bot Setup (BotFather) - 👥 Group Management - 💰 Payment (Stars)
Use least-privilege bot permissions, keep bot tokens private, and review any generated bot code before deploying it to groups or payment flows.
External Telegram messages could influence bot behavior if the generated implementation trusts webhook input too broadly.
Webhook and auto-reply functionality implies external inbound messages may trigger automated bot responses; this is expected for a Telegram bot builder but should be implemented with clear origin checks and limits.
- 🔗 Webhook Integration - 📩 Auto-reply / Filters
Validate webhook sources, avoid treating user messages as trusted instructions, and require explicit review for actions such as moderation, purchases, or account changes.