CommunityOS Lite
v1.1.1Manage Telegram bots locally via a simple UI with LLM-powered replies and a text knowledge base, supporting multiple LLM providers and no internet exposure.
⭐ 0· 21·0 current·0 all-time
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims local-only Telegram+LLM bot management which explains the need for Telegram tokens and LLM API keys, and the code performs Telegram/LLM calls. However the registry metadata in the header stated no required env vars while SKILL.md and source clearly expect multiple API keys—this metadata mismatch is inconsistent. Also README mentions an llm/ provider folder, but that folder (and the bot_engine.llm module) is not present in the file manifest, indicating missing runtime components. Several function signatures and usage patterns (e.g., BotManager creating BotInstance with different params than BotInstance.__init__) do not line up, suggesting the bundle may be broken or cobbled together from different versions.
Instruction Scope
Runtime instructions ask the operator to install deps and run admin/app.py locally and warn 'bind to 127.0.0.1' and 'no authentication'. The code indeed reads .env into os.environ, creates local data/knowledge directories, and exposes an admin UI that explicitly lacks auth (require_auth returns a default 'admin'). The runner polls Telegram and will forward messages to LLM providers using API keys from env or local config. That behavior is coherent with the purpose but the absence of authentication + persistent local storage of tokens increases risk. Also some internal references (LLMFactory) point to missing code, and there are mismatches in handler logic—so instructions give operational control but the code may not behave correctly.
Install Mechanism
There is no scripted install spec in the registry (instruction-only), but SKILL.md recommends creating a Python venv and pip installing requirements.txt. Packages listed are common (fastapi, requests, chromadb, etc.). This is moderate-risk because pip installs external packages (notably chromadb) but there are no opaque external downloads or archive extracts in the skill bundle itself.
Credentials
The skill legitimately needs Telegram tokens and one or more LLM API keys to function; SKILL.md lists MINIMAX/OPENAI/ANTHROPIC/DEEPSEEK keys. That is proportional to the described features. However the registry metadata and top-level manifest reported 'no required env vars' which is inconsistent. The code reads arbitrary env keys from .env (and will store API keys into local JSON config via the UI), so users should know credentials will be stored locally and used for outbound API calls.
Persistence & Privilege
The skill runs as a local web service that creates persistent directories (admin/data, knowledge, chroma_db) and writes JSON configs and logs. It explicitly has no auth for the admin UI (skipped login), which combined with persistent storage of tokens is dangerous on multi-user or network-exposed hosts. 'always' is false and it does not request system-wide config, but the lack of authentication and persistent credentials warrants caution.
What to consider before installing
This package is not a clean plug-and-play: it will read your .env, store config and API keys locally, and contact Telegram and LLM providers. Before installing: 1) Do not run on a machine exposed to the network — run in an isolated VM or container and confirm the server binds to 127.0.0.1. 2) Do not provide production API keys; use throwaway/test keys. 3) Inspect missing components: the code references bot_engine.llm and other pieces that are not in the bundle; ask the author or obtain the full upstream repo. 4) Be aware the admin UI explicitly has no authentication (require_auth returns a default admin), so anyone with network access to the port can control bots and view stored secrets. 5) If you decide to try it, run it in a disposable environment, inspect admin/data/ and llm_config.json for stored keys, and consider adding an authentication proxy or firewall rule before exposing any service.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
CommunityOS-Lite
Simple Telegram Bot management with LLM and knowledge base.
⚠️ Security Warnings
⚠️ LOCAL ONLY - 绑定到 127.0.0.1,不要暴露到公网
⚠️ NO AUTHENTICATION - Admin UI 无认证,仅本地使用
Required Environment Variables
# Telegram Bot Token (from @BotFather)
TELEGRAM_BOT_TOKEN_XXX=your_bot_token
# LLM API Keys (at least one required)
MINIMAX_API_KEY=your_minimax_key # Recommended - has free tier
OPENAI_API_KEY=your_openai_key
ANTHROPIC_API_KEY=your_anthropic_key
DEEPSEEK_API_KEY=your_deepseek_key
Features
- 🤖 Bot Management - Create, edit, delete Telegram bots
- 🔑 Global LLM Config - Unified LLM settings (MiniMax, OpenAI, Anthropic, DeepSeek)
- 📚 Text Knowledge Base - Paste text directly, bot answers within knowledge scope
- 💬 Auto Reply - Bot auto-replies in groups without group config
- 🔒 DM Control - Toggle Allow DM to control private chat
Quick Start
cd ~/.openclaw/workspace/skills/communityOS-Lite
# Create venv
python -m venv venv
source venv/bin/activate
# Install dependencies
pip install -r requirements.txt
# Configure environment
cp .env.example .env
# Edit .env with your API keys
# Run (binds to 127.0.0.1 only)
python admin/app.py
Visit: http://127.0.0.1:8877/lite
Security Notes
- Local Only - Server binds to 127.0.0.1, not exposed to internet
- No Built-in Auth - Admin UI has no authentication
- Credentials Required - Needs Telegram bot tokens and LLM API keys
- Outbound Network - Makes calls to Telegram API and LLM providers
- Use Throwaway Keys - For testing, use separate API keys
Architecture
admin/app.py- FastAPI backend (no external dependencies)admin/lite.html- Simple UIbot_engine/- Bot runtime (self-contained)config/- Configuration files
Note: The harness module is NOT required for Lite version.
Files
14 totalSelect a file
Select a file to preview.
Comments
Loading comments…