Skillv1.0.0

ClawScan security

Telegram Direct Send · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 8, 2026, 1:03 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions clearly require a Telegram bot token and chat ID, but the registry metadata does not declare any required environment variables; the skill is otherwise simple and coherent, but the metadata/instructions mismatch and the recommendation to auto-load secrets in shell startup are concerning.
Guidance: This skill appears to do what it says (use curl to call Telegram Bot API), but the package metadata does not declare the environment variables the instructions require. Before installing: (1) treat TELEGRAM_BOT_TOKEN as a secret — prefer creating a dedicated bot with minimal scope and use a throwaway chat for testing; (2) do not blindly add auto-source lines to your ~/.bashrc unless you understand the security implications (sourcing a .env from a writable skill folder can be abused); (3) verify the skill's source/author (no homepage or repo is provided here); (4) if you proceed, keep the bot token out of version control, and revoke the token immediately if you suspect misuse. The metadata mismatch is the main red flag — ask the publisher to update the registry to declare required env variables (TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID) so the permission model is transparent.

Review Dimensions

Purpose & Capability: concernSkill name and description match the instructions (it uses curl to call Telegram Bot API). However the registry metadata lists no required environment variables while the SKILL.md repeatedly instructs users to provide TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID — an incoherence between declared requirements and actual runtime needs.
Instruction Scope: noteSKILL.md is instruction-only and stays on-task: it shows curl commands to call Telegram endpoints and how to obtain bot token/chat id. It tells the agent/user to source a .env file and offers a wrapper script that sources the .env from the skill directory; these instructions grant the skill access to user-provided secrets and local filesystem paths but are consistent with the stated purpose.
Install Mechanism: okNo install spec and no code files — instruction-only. Required binary is curl which is appropriate and reasonable for the stated purpose.
Credentials: concernThe runtime clearly needs TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID, but the registry metadata lists no required env vars. Requiring a bot token (a secret that allows sending messages/files to Telegram) is proportionate to the feature, but the missing declaration is a metadata inconsistency. Also, storing/sourcing the token from ~/.bashrc or an auto-loaded .env introduces persistence of secrets and increases risk if the file or skill directory is writable by others.
Persistence & Privilege: noteSkill is not forced always-on and does not request elevated privileges. However SKILL.md recommends adding an auto-source line to shell startup to load the .env from the skill workspace, which would persist credentials into interactive shells — an optional convenience that raises persistence and exfiltration risk if misused.