Skillv1.0.0

ClawScan security

F5 Telegram Notify · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 5:40 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill does what it claims (send Telegram notifications for F5-TTS training) but contains hard-coded Telegram credentials and reads host .env and training logs, creating a realistic risk of unintended data exfiltration to the embedded bot owner unless you explicitly override them.
Guidance: Do not run these scripts without reviewing and editing them. Specific recommendations: - Remove or replace the hard-coded TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID in docker_notify.sh and notify.sh before use; supply your own token/chat via environment variables or a local .env under your control. - Assume failure notifications may include snippets of training logs and the command used; inspect docker_train.sh and train_with_notify.sh and remove or sanitize any log or command text you do not want sent externally. - Modify notify.mjs's loadEnv paths so it only reads .env from an explicit, expected location (and not an absolute path to someone else's project). Prefer to rely on environment variables rather than auto-loading arbitrary files. - Rotate any Telegram token that may have been exposed in repositories or CI, and verify ownership of the bot/chat before trusting notifications. - Test in an isolated environment with no sensitive data to confirm behavior, and consider implementing an explicit opt-in configuration (no defaults that point to a third-party account). Given the embedded credentials and log-sending behavior, treat this skill as potentially leaking data until you sanitize and reconfigure it.

Review Dimensions

Purpose & Capability: concernName/description match the code (notification around F5-TTS training). However the registry metadata declares no required env vars/credentials while the SKILL.md and scripts clearly require TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID — a mismatch. Also SKILL.md and scripts reference absolute developer paths (e.g. /home/seiya/...), which are environment-specific and surprising for a generic skill.
Instruction Scope: concernRuntime instructions and scripts will read .env files from multiple locations (including an absolute project path) and, on failure, collect and send the last ~50 lines of training logs ($LAST_LOG) in docker_train.sh and command/exit info in train_with_notify.sh. That means runtime behavior can transmit local log contents and command-line context to the Telegram account controlled by the token — which is broader than a simple 'notify success/failure' if those logs/commands contain sensitive data.
Install Mechanism: okNo install spec and no downloads; this is an instruction + script bundle only, which reduces installation risk. The code runs local shell and Node.js but does not install external packages automatically.
Credentials: concernThe skill legitimately needs TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID, but the registry metadata did not declare them (incoherent). More importantly, the scripts include hard-coded default values for these variables (e.g. TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID embedded in docker_notify.sh and notify.sh). If a user does not supply their own env vars, notifications (including potentially large log excerpts) will be sent to the embedded bot/chat controlled by whoever published the skill, which risks leaking local information.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and does not require elevated system privileges. It runs only when invoked via the provided scripts.