Skillv1.0.0

ClawScan security

Telegram News Digest (Lite) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 2:46 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions mostly match its stated purpose (scraping public t.me pages, summarizing with an LLM, and delivering digests), but there are multiple inconsistencies and small scope/metadata mismatches that merit review before installing.
Guidance: Things to check before installing: - Clarify the env/metadata mismatch: registry metadata says no env vars are required, but the skill manifest and code expect OPENCLAW_GATEWAY_URL and OPENCLAW_GATEWAY_TOKEN. If you rely on a hosted LLM gateway, provide a token with appropriate scope; otherwise the code falls back to a local gateway URL and a default token string. - Confirm dependency installation policy: package.json lists npm packages. Ensure the platform will install these packages from trusted registries (or audit/lock the package versions) before running the skill. - Verify where config.yaml will live: the README suggests ~/.openclaw/skills/... but the code reads/writes ./config.yaml relative to the skill working dir. Confirm the runtime path to avoid unexpected writes to your home directory or losing configuration. - Review network permissions: the skill can contact t.me and LLM provider hosts. If you want to limit blast radius, run it in a restricted environment or ensure your OpenClaw gateway token has limited scope. - Legal/TOU considerations: the skill scrapes public Telegram pages; ensure scraping is permitted for the channels you monitor. - Operational test: run the skill in a sandboxed environment with a small channel list and DEBUG enabled to confirm behavior (where files are written, what endpoints are contacted). If you don't want it to call external LLMs, configure a local gateway or run it with network disabled. Given the mismatches (manifest vs registry metadata, package.json without an install spec, and path/documentation inconsistencies), proceed cautiously — these look like sloppy packaging rather than clear malicious intent, but they increase operational risk.

Review Dimensions

Purpose & Capability: noteThe skill's functionality (web-scrape t.me/s/*, deduplicate, summarize via an LLM, persist seen-hashes, and notify via OpenClaw) is coherent with its name and description. Network and filesystem permissions declared in SKILL.md (t.me, state directory, config.yaml) match expected behavior. One mismatch: the registry metadata shown at the top claims 'Required env vars: none', but both skill.yaml and SKILL.md declare env permissions for OPENCLAW_GATEWAY_URL / OPENCLAW_GATEWAY_TOKEN and the code reads process.env.OPENCLAW_GATEWAY_TOKEN — so the registry metadata is inconsistent with the packaged skill.
Instruction Scope: noteSKILL.md and the code limit actions to fetching public Telegram web pages, reading/writing a local config and a ./state/seen_messages.json, and calling an LLM gateway. There are two small scope issues to be aware of: (1) the README and some docs reference editing ~/.openclaw/skills/... while the code operates on ./config.yaml (relative path) — this path mismatch could surprise users about where credentials/config are stored; (2) SKILL.md frontmatter lists env permissions and network hosts the skill may contact (including api.openai.com and several provider domains), which is broader than strictly required by the code unless the user config points the gateway at those hosts.
Install Mechanism: concernThe package includes a package.json with Node dependencies (axios, cheerio, openai, fs-extra, yaml) but there is no install spec in the skill manifest. That is not inherently malicious but is an operational inconsistency: without an explicit install step the runtime may fail if dependencies are not present, or the platform's installer behaviour may install packages automatically. Because dependencies could pull code from npm, you should review/pin versions and ensure your environment installs packages predictably (and validate origin).
Credentials: noteThe skill requests access to an LLM gateway via OPENCLAW_GATEWAY_URL and OPENCLAW_GATEWAY_TOKEN (declared in SKILL.md and skill.yaml and used in code). Those are proportionate for a summarization skill. There are no unrelated secrets requested. Minor note: the top-level registry summary said 'Required env vars: none' which conflicts with the manifest; this inconsistency should be clarified before trusting the skill.
Persistence & Privilege: okThe skill writes only to its own local state file (./state/seen_messages.json) and ./config.yaml. It does not request 'always: true', does not declare system-wide modifications, and does not modify other skills' config. File writes and local persistence are proportionate to its purpose.