TMS (Telegram Media Server)
PassAudited by ClawScan on May 1, 2026.
Overview
This is a transparent instruction-only TMS API skill, but installing it lets an agent start, search, and delete downloads on a trusted TMS server.
Install this if you control the TMS server and want OpenClaw to manage its downloads. Set TMS_API_URL carefully, protect TMS_API_KEY, secure any webhook with a strong token, and consider disabling autonomous model invocation or requiring confirmation for add/delete actions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, the agent can start downloads or stop/remove existing TMS downloads when it decides the task calls for it.
The skill gives the agent direct REST operations that can create or remove download jobs. This is central to the stated purpose and is disclosed, but it is still a mutable action users should understand.
The agent must make HTTP requests (GET/POST/DELETE) to the TMS endpoints... Add download... Delete download — stops and removes the download.
Use the skill only with a TMS instance you control, and consider requiring explicit user confirmation before add or delete requests.
Whoever controls the agent may also control the configured TMS download API within that key or localhost trust boundary.
The skill can use delegated TMS API authority, either through local unauthenticated access or an API key. This is expected for the integration and is described openly.
TMS accepts requests from localhost without a key... set TMS_API_KEY and send every API request with either Authorization: Bearer <TMS_API_KEY> or header X-API-Key: <TMS_API_KEY>.
Keep TMS_API_KEY secret, point TMS_API_URL only at a trusted server, and avoid exposing unauthenticated TMS API access beyond localhost.
The security of the overall setup depends on the TMS server installation and configuration, not just this skill package.
The skill is instruction-only, but it depends on a separately installed backend from an external repository. This is purpose-aligned and disclosed, not hidden.
Install Telegram Media Server (required before using this skill): Repository: github.com/NikitaDmitryuk/telegram-media-server... Clone, build, and configure as described in the project README.
Install TMS from the intended repository, review its configuration, keep it updated, and avoid pointing the skill at an untrusted service.
A webhook can deliver download status and titles into an OpenClaw endpoint; if misconfigured, unwanted senders could hit that endpoint.
The documentation describes an optional webhook flow from TMS into OpenClaw with a bearer token. It is disclosed and scoped, but webhook endpoints need authentication and network controls.
Optional — Webhook... TMS_WEBHOOK_URL... TMS_WEBHOOK_TOKEN... TMS will POST JSON { id, title, status, error?, event_id } on completion/failure/stopped.Use a strong webhook token, restrict the webhook endpoint to trusted networks where possible, and avoid exposing it publicly without authentication.