Tg Search
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or invoking this skill may use an existing Telegram account session on the machine, not just an anonymous public search.
An authorized Telethon session represents delegated access to a Telegram account. The artifacts do not specify which account/session is used, where the session is stored, what permissions are available, or how access is constrained to public search.
using an already-authorized Telethon session on this VPS
Use a dedicated low-privilege Telegram account/session for this skill, document the session location and account, and ensure the user can revoke or rotate it.
The main behavior depends on unreviewed local code, so the user cannot verify from these artifacts whether it only performs the advertised public Telegram search.
The skill executes a system-wide helper that is not included in the manifest and has no install/provenance information. The reviewed package therefore does not show the code that performs the Telegram access.
["/usr/local/bin/tg_search", query, limit]
Include the helper source or a pinned, verifiable install specification, and declare /usr/local/bin/tg_search as a required binary.
Using the skill runs a local program on the host, with behavior determined by that installed helper.
The wrapper runs a local command. This is disclosed and central to the skill purpose, and it avoids shell=True, but users should still be aware that invoking the skill executes local code.
subprocess.run(
["/usr/local/bin/tg_search", query, limit],
capture_output=True,
text=True
)Verify the installed /usr/local/bin/tg_search helper before use and keep it under controlled ownership and permissions.