Telegram-Bot-managerj
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed local full-drive file server, but it handles a very powerful access token and file-browser UI in ways that could expose local files if misused or exploited.
Only use this if you intentionally want a local file server with access to the configured root. Keep it bound to 127.0.0.1, use a strong token, avoid putting the token in URLs, restrict the root to a small trusted folder, and do not use the web UI on directories that may contain untrusted filenames until the UI escaping issue is fixed.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously named file or folder under a browsed root could potentially take over the local file-browser page and use the same UI/token context to access files.
File and directory names returned by the server are inserted into innerHTML without escaping. On platforms or roots where filenames can contain HTML-special characters, a crafted filename could execute script in the management UI.
tr.innerHTML = `\n <td>${e.isDirectory ? '📁' : '📄'} ${e.name}</td> ... <td>${action}</td>`;Render file names with textContent/createElement instead of innerHTML, escape all attribute values, and avoid browsing untrusted writable directories until this is fixed.
The file-server token can end up in browser history, copied URLs, screenshots, or local request logs, giving anyone who obtains it access to the exposed root while the server is running.
The UI reads the access token from the URL, sends it as a query parameter, and writes it back into browser history. That token protects a server capable of reading and downloading local files.
if (qs.get('token')) tokenEl.value = qs.get('token'); ... if (token) p.set('token', token); ... const res = await fetch(`/list?${q(p, t)}`); ... history.replaceState(null, '', `/?${q(p, t)}`);Prefer the Authorization or x-god-mode-token header, do not place tokens in URLs, and clear any token that may have been saved in browser history.
If you narrow the root to a folder but that folder contains links to sensitive locations, the server may still expose files outside the folder you thought you had limited it to.
Path containment is checked lexically before fs.statSync/createReadStream, which follow symlinks. If the exposed root contains a symlink or junction to another location, the server can read outside the intended root despite the 'safe' path check.
const fullPath = path.resolve(ROOT, requested); const rel = path.relative(ROOT, fullPath); ... const st = fs.statSync(fullPath); ... return fs.createReadStream(filePath).pipe(res);
Resolve real paths after symlink traversal and verify they remain under the configured root, or explicitly reject symlinks/junctions in listed and downloaded paths.
Anyone with local access to the server and the token can browse and download files under the configured root.
The server is intentionally capable of reading and downloading files from the configured root, which defaults to the Windows C:\ drive. This is purpose-aligned but high impact.
const ROOT = path.resolve(process.env.GOD_MODE_ROOT || 'C:\\'); ... if (route === '/read' ... ) ... if (route === '/download' ... )
Set GOD_MODE_ROOT to the smallest necessary directory, keep GOD_MODE_HOST on 127.0.0.1, use a strong unique token, and stop the server when not needed.
A user relying on the package name or slug could misunderstand what they are installing.
The registry identity suggests a Telegram bot, while the supplied SKILL.md and code identify as 'god-mode-manager' and implement a local high-privilege file server.
Name: Telegram-Bot-managerj ... Slug: telegrambot
Treat this as the God Mode Manager file-server skill, not a Telegram bot, and verify the package identity before installing.
The incomplete provenance and runtime declaration make it harder to verify and prepare the skill safely.
The skill is source-unknown and metadata does not declare Node as a required runtime, even though SKILL.md tells the user to run a Node script.
Source: unknown ... Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Review the included source before use, ensure Node is intentionally available, and prefer packages with clear provenance and accurate runtime declarations.