Skillv0.1.5

ClawScan security

Create Agent With Telegram Group · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 21, 2026, 3:48 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions align with its stated purpose: it provisions a per-agent workspace and updates OpenClaw config under the user's home directory; nothing requested appears unrelated or excessive.
Guidance: This skill appears coherent and limited in scope, but take these precautions before running it: 1) Review ~/.openclaw/openclaw.json and the generated backup after the script runs; 2) Confirm any browser automation step before allowing it (the skill requires explicit confirmation); browser automation can access your logged-in Telegram session/profile, so only proceed if you understand that action; 3) Verify the chat_id and group title you provide to avoid binding the wrong group; 4) Inspect the included scripts locally (they validate paths to your home and avoid copying auth files) and run them manually if you prefer full control; 5) If you're uncomfortable with automated gateway restarts, refuse that step and perform the restart manually after inspection.

Review Dimensions

Purpose & Capability: okThe skill's name/description (create an OpenClaw agent and bind it to a Telegram group) matches what the included scripts do: create a workspace, update ~/.openclaw/openclaw.json, and add bindings. No unrelated binaries, cloud creds, or external services are requested.
Instruction Scope: noteRuntime instructions explicitly require reading and writing ~/.openclaw/openclaw.json and creating files under ~/claw-<agent-name> — which the scripts perform. The SKILL.md also calls for browser automation (user-account flow) to create Telegram groups; the provided scripts do not perform browser automation, so that step relies on user action or an external automation tool. SKILL.md mentions reading ~/.openclaw/cron/jobs.json in Access Scope, but the scripts do not touch that file — a minor documentation mismatch but not dangerous. The skill repeatedly requires explicit user confirmation before high-privilege actions (modifying config, triggering automation, restarting gateway), which reduces risk.
Install Mechanism: okNo install spec or external downloads. It's instruction-first with two small Python scripts included. Nothing is fetched from external URLs or installed to system directories.
Credentials: okNo environment variables, credentials, or config paths outside the user's home are requested. The scripts validate that config and workspace paths are within the user's home to prevent arbitrary writes. The skill documents that it will not copy auth files between agents.
Persistence & Privilege: okThe skill writes to the user's ~/.openclaw/openclaw.json and creates a backup by default; this is expected for a provisioning tool and is limited to the user's home. always:true is not set, and the skill does not modify other skills' configs or system-wide settings beyond the OpenClaw config file under ~/.openclaw.