Back to skill
Skillv1.0.1
ClawScan security
Telegram History via LifeQuery · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 7, 2026, 6:32 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are consistent with its stated purpose (querying a LifeQuery instance for Telegram history) and request only the expected configuration (LifeQuery URL and optional API key).
- Guidance
- This skill is coherent: it simply forwards a search query to a configured LifeQuery instance and returns the response. Before installing or using it, ensure the LIFEQUERY_BASE_URL points to a LifeQuery server you control or trust (a remote server could see all queries you send). If you use an API key, keep it secret. Note the skill itself does not access your Telegram app directly—it relies on the LifeQuery server to have imported or indexed your Telegram history. Also be aware of a minor metadata mismatch: SKILL.md and skill.yaml document the LIFEQUERY_* env vars (optional), even though registry metadata listed none.
Review Dimensions
- Purpose & Capability
- okThe skill name/description, skill.yaml, SKILL.md, and the Python script all align: they call a LifeQuery /chat/completions endpoint to search Telegram history. The only configuration requested (LIFEQUERY_BASE_URL and optional LIFEQUERY_API_KEY) is appropriate. Minor note: registry metadata listed no required env vars while SKILL.md and skill.yaml document these environment variables (they are optional defaults), but this is a minor metadata mismatch rather than a functional inconsistency.
- Instruction Scope
- noteThe runtime instructions and script are narrowly scoped: they accept a single query argument, read the LifeQuery base URL and optional API key from environment variables, POST a single request to /chat/completions, and print the response. They do not read local Telegram files or other system secrets. Note: the skill will send whatever query (potentially user content) to the configured LifeQuery endpoint, so the trustworthiness of that endpoint determines whether query content or context is exposed.
- Install Mechanism
- okThere is no install spec (instruction-only plus an included Python script). Nothing is downloaded or written to disk by an installer; the script runs with the system Python. This is low-risk from an install-mechanism perspective.
- Credentials
- okThe only environment settings are LIFEQUERY_BASE_URL and an optional LIFEQUERY_API_KEY, which are directly relevant and proportionate to reaching a LifeQuery service. The skill does not request unrelated credentials or access to other configuration paths.
- Persistence & Privilege
- okThe skill is not always-on and is user-invocable; it does not request persistent platform privileges or modify other skills/config. Autonomous invocation remains allowed by platform default but is not combined with broad or unusual privileges here.