Back to skill
Skillv1.2.1
ClawScan security
Telegram Chat To Image · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 5:05 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are consistent with its stated purpose (converting a Telegram JSON export to a long PNG); it requires only Pillow and performs local file I/O with no network calls or secret access.
- Guidance
- This skill appears coherent and performs only local processing of a Telegram JSON export into a PNG. Before running: (1) review the included script yourself since the source is 'unknown'; (2) be mindful of very large exports — rendering extremely tall images can consume a lot of memory/CPU; (3) the only dependency is Pillow (pip install Pillow); (4) the script reads files from disk and writes the image output — it does not appear to perform network I/O or access secrets, but if you plan to share outputs, ensure they don't contain private data. If you need stronger assurance, run it in a sandboxed environment or inspect the complete script file that will be executed.
Review Dimensions
- Purpose & Capability
- okName/description match the code and SKILL.md: the script reads Telegram Desktop JSON and renders a long chat image. No unrelated binaries, cloud services, or credentials are requested.
- Instruction Scope
- okSKILL.md instructs CLI usage (pip install Pillow, run the script with --input/--output) and describes expected input/output. The instructions do not ask the agent to read unrelated files, access environment secrets, or transmit data externally.
- Install Mechanism
- okNo install spec is provided (instruction-only), so nothing is written to disk by an automated installer. The only runtime dependency is the well-known Pillow package installed via pip as documented.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. The code uses local filesystem (reading JSON export, optional font files) which is appropriate for the task.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system presence or modify other skills. It performs one-off local rendering and writes only the output image (and optionally a ZIP if user follows recommendations).