ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Publora Telegram

v1.2.0

Post or schedule content to Telegram channels and groups using the Publora API. Use this skill when the user wants to publish or schedule Telegram messages v...

0· 601·1 current·1 all-time
bySergey Bulaev@sergebulaev

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sergebulaev/publora-telegram.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Publora Telegram" (sergebulaev/publora-telegram) from ClawHub.
Skill page: https://clawhub.ai/sergebulaev/publora-telegram
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install sergebulaev/publora-telegram

ClawHub CLI

Package manager switcher

npx clawhub@latest install publora-telegram
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description align with the documented actions (posting/scheduling to Telegram via the Publora API). However, the SKILL.md clearly requires a Publora API key (x-publora-key) and references a separate 'publora' core skill for auth/scheduling, yet the skill metadata declares no required environment variables and no dependency on a publora core skill. That mismatch suggests missing declarations (not necessarily malicious, but inconsistent).
Instruction Scope
Runtime instructions are limited to calling Publora endpoints and uploading local media files (open('image.jpg') for upload). Those actions are in-scope for a Telegram posting skill. The instructions do not attempt to read unrelated system files or external endpoints. They are however vague about how credentials are supplied at runtime (they show header usage but don't declare where/how the agent should obtain/store the key).
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal footprint and nothing written to disk by the skill itself.
!
Credentials
The SKILL.md clearly requires an x-publora-key (Publora API key) and, indirectly, a Telegram bot token to set up Publora integration, but the registry metadata lists no required environment variables or primary credential. This is a disproportionate omission: the skill will need secrets to operate but doesn't declare them, so it's unclear how credentials will be requested, passed, or stored.
Persistence & Privilege
The skill does not request always:true or any elevated platform presence; there is no install, no persistent configuration changes, and default autonomous invocation settings are unchanged.
What to consider before installing
This skill appears to be a straightforward Publora→Telegram how-to, but there are important omissions. Before installing or using it: 1) Confirm how the Publora API key (x-publora-key) and your Telegram bot token will be provided and stored — the skill metadata does not declare required env vars, which makes credential handling unclear. 2) Verify whether you need the separate 'publora' core skill (auth/workspace) — the SKILL.md references it but the dependency is not declared. 3) Be cautious when uploading local media: the instructions open local files for upload, so the agent or any helper code will need filesystem access. 4) Only provide your Publora key and bot token to publishers you trust; check Publora's docs and privacy policy for how they handle your bot token and posted content. If the publisher can clarify where credentials are expected (env var name, secure prompt, or external dashboard) and declare the dependency on the publora core skill, the incoherence would be resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk97149nfna9n2merej8ha2t60182wvz3
601downloads
0stars
3versions
Updated 1h ago
v1.2.0
MIT-0
Sergey Bulaev@sergebulaev
latest
Download

Publora — Telegram

Telegram platform skill for the Publora API. For auth, core scheduling, media upload, and workspace/webhook docs, see the publora core skill.

Base URL: https://api.publora.com/api/v1
Header: x-publora-key: sk_YOUR_KEY
Platform ID format: telegram-{chatId}

Requirements

  1. Create a bot via @BotFather on Telegram
  2. Copy the bot token
  3. Add the bot as an administrator of your target channel or group
  4. Connect via Publora dashboard using the bot token + channel name

Platform Limits (API — Bot API)

⚠️ Telegram Bot API has a strict 50 MB file limit (not the 4 GB that user clients allow).

PropertyBot API LimitUser Client
Text (message)4,096 charactersSame
Media caption1,024 characters ⚠️4,096 (Premium)
ImagesUp to 10 × 10 MBJPEG, PNG, GIF, WebP, BMP
Video50 MB ⚠️4 GB
Video formatsMP4, MOV, AVI, MKV, WebM
Text only✅ Yes
Rate limit30 messages/sec20 messages/min per group

Common errors:

  • MEDIA_CAPTION_TOO_LONG — caption exceeds 1,024 chars → reduce or move text to message body
  • Bad Request: file is too big — file exceeds 50 MB → compress or use a smaller file

Post a Text Message

await fetch('https://api.publora.com/api/v1/create-post', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json', 'x-publora-key': 'sk_YOUR_KEY' },
  body: JSON.stringify({
    content: '📢 **Announcement**: Our new feature is live! Check it out at publora.com\n\n#update #publora',
    platforms: ['telegram--1001234567890']  // note: group chat IDs are negative
  })
});

Markdown formatting is supported in Telegram messages.

Schedule a Message

body: JSON.stringify({
  content: 'Your Telegram channel message here',
  platforms: ['telegram--1001234567890'],
  scheduledTime: '2026-03-20T09:00:00.000Z'
})

Send an Image

import requests

HEADERS = { 'Content-Type': 'application/json', 'x-publora-key': 'sk_YOUR_KEY' }

# Step 1: Create post (content = caption, max 1,024 chars for media)
post = requests.post('https://api.publora.com/api/v1/create-post', headers=HEADERS, json={
    'content': 'Check out our latest update! 🚀',   # keep under 1,024 chars when attaching media
    'platforms': ['telegram--1001234567890']
}).json()

# Step 2: Get upload URL (max 10 MB per image)
upload = requests.post('https://api.publora.com/api/v1/get-upload-url', headers=HEADERS, json={
    'postGroupId': post['postGroupId'],
    'fileName': 'image.jpg',
    'contentType': 'image/jpeg',
    'type': 'image'
}).json()

# Step 3: Upload
with open('image.jpg', 'rb') as f:
    requests.put(upload['uploadUrl'], headers={'Content-Type': 'image/jpeg'}, data=f)

Send a Video (max 50 MB)

Same flow as image but use contentType: 'video/mp4' and type: 'video'. Keep the file under 50 MB.

Platform Quirks

  • Bot API file limit is 50 MB — not 4 GB like Telegram user clients. For larger files, you'd need a Local Bot API Server (not supported by Publora)
  • Caption vs message body: When attaching media, content becomes the caption (max 1,024 chars). For text-only posts, content can be up to 4,096 chars.
  • Markdown supported: Use **bold**, _italic_, `code`, [link](url) in message content
  • Group chat IDs are negative: e.g. telegram--1001234567890
  • Bot must be admin: The bot needs admin permissions to post in channels; in groups, it needs at least "Send messages" permission
  • Rate limit: 30 messages/second globally; 20 messages/minute per group — Publora handles queuing automatically

Comments

Loading comments...