Telegram Bot Builder
ReviewAudited by ClawScan on May 1, 2026.
Overview
This instruction-only Telegram Bot API skill is coherent and transparent, but it can use a bot token to post messages, upload files, moderate chats, and configure webhooks.
Use this with a bot token you control, verify chat/user/message IDs before any write or moderation action, test in a private chat first, and only configure webhooks to trusted HTTPS servers.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is exposed or used incorrectly, messages and bot-management actions can be performed as your Telegram bot.
The skill requires a Telegram bot token, which is expected for this purpose but grants delegated authority to act as the bot.
export TELEGRAM_BOT_TOKEN="your-bot-token"
Use a dedicated bot token, limit the bot's admin rights in groups/channels, avoid sharing the token, and rotate it with BotFather if it may have been exposed.
Using the wrong chat ID, user ID, or message ID could post to the wrong place or moderate the wrong Telegram user/message.
The documented Telegram API examples include real write and moderation operations, including posting messages, banning users, and deleting messages.
sendMessage ... banChatMember ... deleteMessage
Test in a private chat first and require explicit confirmation before sending, deleting, banning, unbanning, or changing bot commands in shared groups or channels.
Telegram updates from chats involving the bot may be delivered to the configured webhook server.
The webhook example configures Telegram to send message and callback updates to an external server endpoint.
"url": "https://your-server.com/webhook", "allowed_updates": ["message", "callback_query"]
Only set webhooks to trusted HTTPS endpoints you control, understand what update types are being delivered, and delete the webhook when it is no longer needed.