Telegram Interactive Buttons
AdvisoryAudited by Static analysis on Mar 9, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong chat ID or message content is used, the bot could post an unintended message to a Telegram chat.
The helper sends user-supplied message content and button JSON to a Telegram target through the OpenClaw CLI. This matches the skill purpose, but it is still an externally visible action.
openclaw message send --target "$TARGET" --message "$MESSAGE" --buttons "$BUTTONS"
Verify the target chat ID, message text, and buttons before use, especially for group or production chats.
Anyone who can access the configured bot token may be able to send messages as the bot in chats where it is present.
The skill requires configuring a Telegram bot token so OpenClaw can send messages as that bot. This is expected for Telegram integration, but it is account-level messaging authority.
"botToken": "YOUR_BOT_TOKEN_HERE"
Store the bot token securely, restrict the bot to chats you control, avoid committing config files, and rotate the token if it is exposed.
Installing a global CLI from an unverified source could affect the local environment.
The setup uses a user-directed global CLI install without a pinned version. This is a normal prerequisite for the skill but is still a supply-chain point users should verify.
npm install -g openclaw
Install OpenClaw from its official source, consider pinning a trusted version, and review the helper scripts before running them.