Telegram Agent Memory
Security checks across malware telemetry and agentic risk
Overview
Review before installing: this is a coherent Telegram memory tool, but it asks you to link a Telegram account to an external service that can persist and search channel or group history.
Install only if you trust AgentMemoryBot and agent.ai-vfx.com with your Telegram-accessible conversations. Start with non-sensitive channels, approve each new source and sync range deliberately, protect or revoke the API key if needed, and confirm retention/deletion options before relying on it for private groups.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The external provider, or anyone who obtains the API key, may be able to access/search synchronized Telegram sources tied to the user's account.
The skill requires linking a Telegram account through an external bot and using a bearer token, but the artifact does not define the Telegram permission boundary, session scope, or revocation model.
Connect Telegram (share contact, enter reversed code) → API Keys → Create Key ... All API calls use: `Authorization: Bearer $AGENT_MEMORY_API_KEY`
Only connect if you trust the provider; use the minimum necessary Telegram sources; confirm how to revoke the key/session and what account access is granted.
Private or sensitive Telegram messages could be stored long term and reused in later agent answers across broad scopes.
The skill intentionally persists and retrieves Telegram conversation data, including an all-connected-sources mode, but the artifact does not describe retention, deletion, exclusions, or how retrieved channel content should be treated as untrusted.
Gives you persistent long-term memory across Telegram channels and groups ... `scope`: optional — `@username` for one channel, `folder:Name` for a folder, omit for all
Limit connected sources, avoid highly sensitive channels, ask the provider about retention/deletion controls, and treat retrieved Telegram content as untrusted context.
An overly broad or mistaken source addition could sync more Telegram history than intended, and repeated searches/digests can consume paid balance.
The documented curl operations can add a source, sync historical Telegram data, and spend paid points. This is purpose-aligned, but users should notice that some calls mutate service state or incur costs.
"Connect @newchannel" → add_source ... `sync_range` options: 1w, 1m, 3m, 6m, 1y ... Search: 3 pts, Digest: 25 pts, Decisions: 12 pts
Require explicit user approval for each new source, choose the shortest needed sync range, and confirm paid operations before running them.
Users have limited registry-provided information to verify who operates the service before connecting Telegram data.
The registry does not provide source or homepage provenance for a skill that depends on an external Telegram-memory service.
Source: unknown; Homepage: none
Verify the provider, bot, and domain out of band before sharing credentials or linking a Telegram account.
The API key could appear in shell history or a temporary file during setup on shared systems.
The setup includes a user-directed shell command to modify OpenClaw configuration and temporarily write the API key-containing config through /tmp. It is scoped to this skill, but users should review it before running.
cat ~/.openclaw/openclaw.json | jq '.skills.entries["agent-memory"] = {"env": {"AGENT_MEMORY_API_KEY": "USER_KEY_HERE"}}' > /tmp/oc.json && mv /tmp/oc.json ~/.openclaw/openclaw.jsonPrefer a secure OpenClaw secret/config mechanism if available, restrict config file permissions, and avoid leaving key material in temporary files or shell history.