Telegram Voice Group
WarnAudited by ClawScan on May 18, 2026.
Overview
This skill matches its Telegram voice-message purpose, but it needs review because it asks for broad Telegram admin powers and builds shell commands from user-controlled message text.
Install only if you trust the execution environment, can restrict the Telegram bot to send-message/send-media permissions, and understand that message text may be processed by TTS tooling and posted to the selected group. The command construction should be fixed before handling untrusted text.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted voice message or parameter could potentially run unintended local commands on the machine where the skill executes.
The command is executed through a shell with user-controlled text and optional voice/rate values interpolated into the command string. Removing double quotes is not sufficient shell escaping; values such as command substitution can still be dangerous.
await execAsync(`edge-tts --voice "${voice}" --rate="${rate}" --text "${cleanedText.replace(/\"/g, '')}" --write-media "${tempMp3}"`);Replace shell-string exec with execFile/spawn argument arrays, validate voice and rate against allowlists, and avoid passing raw user text through a shell.
If the bot or skill is misused or compromised, it may be able to delete messages, change group settings, restrict or ban members, or receive more authority than the voice-message feature requires.
The stated purpose is sending Telegram voice messages, but the setup asks users to grant broad group administration and moderation permissions beyond send-message/send-media access.
授予以下权限:删除消息、编辑群组信息、发送消息、发送媒体、限制成员、封禁成员、添加管理员 - 可选
Grant only the minimum Telegram permissions required to send messages/media, avoid add-admin and moderation rights unless separately justified, and document exactly which permissions are required.
The agent can post generated voice messages into Telegram groups or topics under the configured bot identity.
Sending Telegram messages is the skill's disclosed purpose, but it is still a public or group-visible mutation action that should remain user-directed.
使用 message 工具发送语音文件到指定群组
Use explicit user requests for each send action, verify the target group/topic before posting, and avoid enabling autonomous posting workflows unless intended.
Text that is converted to speech may be handled by the TTS provider, so sensitive content should not be sent unless the user accepts that data flow.
The voice text is processed through the edge-tts/Microsoft TTS tooling as part of the disclosed feature, which may involve an external provider depending on the installed edge-tts implementation.
使用 Microsoft Edge-TTS 生成高质量中文语音
Clearly disclose provider-side processing and avoid converting secrets, private personal data, or confidential business content unless approved.