Back to skill
Skillv1.0.1
ClawScan security
Telegram Agent Setup V101 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 4, 2026, 9:52 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The instructions, requirements, and actions in this skill are coherent with its stated purpose of connecting OpenClaw to Telegram and do not request unrelated credentials or risky installs.
- Guidance
- This guide appears coherent and appropriate for connecting OpenClaw to Telegram. Before following it: (1) Keep your bot token secret — do not commit ~/.openclaw/openclaw.json to source control or paste the token in chat; consider using a secrets manager if available. (2) Use the recommended venv for faster-whisper and verify you install packages from PyPI only. (3) Configure allowedChatIds and rejectUnknown:true to prevent unauthorized use. (4) Confirm outbound HTTPS access for the gateway and that logs do not leak secrets. (5) Verify the instructions against official OpenClaw documentation if available, and be cautious about contacting third-party helpers listed in the README.
Review Dimensions
- Purpose & Capability
- okThe skill is an instruction-only guide to create a Telegram bot, configure OpenClaw, and enable STT via faster-whisper. All required steps (BotFather token, editing ~/.openclaw/openclaw.json, installing faster-whisper) align with that purpose.
- Instruction Scope
- okRuntime instructions stay on-topic: creating the bot, editing OpenClaw config, examining logs, enabling group behavior, and installing a local STT package. The skill does not direct the agent to read unrelated system paths or exfiltrate data to third-party endpoints.
- Install Mechanism
- okThis is instruction-only (no install spec). The only installation recommended is a pip install of faster-whisper into a local venv, which is proportionate to the stated STT capability and uses a common package source.
- Credentials
- okNo platform environment variables or external credentials are requested by the registry metadata. The guide correctly asks the user to supply their Telegram bot token in the OpenClaw config file (not as an env var). This is proportionate, though users should follow secure storage practices.
- Persistence & Privilege
- okThe skill does not request always:true or system-wide privileges and is user-invocable only. It does not instruct modifying other skills or agent-wide settings beyond the agent's own OpenClaw config file.