Telegram Userbot

WarnAudited by ClawScan on May 12, 2026.

Overview

The skill largely matches its Telegram-userbot purpose, but it gives an AI persistent access to a personal Telegram account, defaults to accepting messages from anyone, and contains code that reads OpenClaw session transcripts.

Install only if you are comfortable giving OpenClaw persistent access to a Telegram user account. Use a secondary account, restrict allowFrom to trusted senders, review file permissions on OpenClaw config and backup files, and be cautious if your OpenClaw session history contains sensitive information.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI02: Tool Misuse and Exploitation

What this means

Anyone who can message the connected Telegram account may be able to trigger the assistant unless the user narrows the allowFrom list.

Why it was flagged

The CLI-generated default account configuration allows all senders by default. Because the skill’s purpose is for the assistant to respond through the user’s Telegram account, this is a broad default for a high-impact messaging capability.

Skill content

return {
        ...buildAccountPayload(auth),
        allowFrom: ["*"],
        groupPolicy: "mention",
    };

Recommendation

Before enabling the channel, set allowFrom to specific trusted Telegram user IDs or usernames and test with a secondary Telegram account.

Medium

#ASI03: Identity and Privilege Abuse

What this means

The assistant can operate under the connected Telegram identity, including sending messages that appear to come from the user.

Why it was flagged

The channel requires Telegram API credentials and an authenticated session string. This is expected for an MTProto userbot, but it grants durable access to the Telegram user account.

Skill content

"required": [
                "apiId",
                "apiHash",
                "sessionString"
              ]

Recommendation

Use a dedicated secondary Telegram account, protect the OpenClaw config file and backups, and revoke the session if the machine or config is exposed.

Medium

#ASI06: Memory and Context Poisoning

What this means

Prior assistant conversation content could be reused in Telegram responses or otherwise exposed across contexts if this code path is reached.

Why it was flagged

The runtime includes code that reads OpenClaw main agent session metadata and session transcript files to extract assistant text. This local session access is not described in the README or setup instructions.

Skill content

const rawStore = readFileSync("/root/.openclaw/agents/main/sessions/sessions.json", "utf8"); ... const lines = readFileSync(sessionFile, "utf8")

Recommendation

The publisher should document and tightly scope any transcript fallback behavior, and users should avoid installing it where OpenClaw session logs contain sensitive information.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The installed dependency version may vary over time depending on package resolution.

Why it was flagged

The package installs an external Telegram library using a semver range. This is normal for a Telegram integration, but it means future compatible dependency versions may be installed.

Skill content

"installDependencies": true,
  "dependencies": {
    "telegram": "^2.26.22"
  }

Recommendation

Prefer pinned dependency versions or a lockfile for reproducible installs, especially for plugins with account-session access.