Skillv1.0.1

ClawScan security

Telegram Rich Messages · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 21, 2026, 4:17 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only guide for composing rich Telegram messages; its requirements and instructions are coherent with that purpose and it does not request unrelated credentials or install code.
Guidance: This skill is a documentation/template pack for composing Telegram messages and appears consistent with that goal. Before installing: (1) confirm your agent's Telegram plugin/credentials are configured securely (the skill doesn't supply credentials); (2) be cautious about the guide's recommendation to display IDs/tokens as tap-to-copy monospace — do not use that pattern for secrets or production credentials; (3) note the skill recommends sending local files and editing/deleting messages, so ensure the agent's filesystem access and message-delete privileges are appropriate and audited; (4) test all message flows in a development bot/chat with non-sensitive data before using with real users. If you want the skill to run only with explicit human triggers, keep it user-invocable and review any agent automation rules that might call it autonomously.

Purpose & Capability: okName/description match the content: the SKILL.md and reference docs exclusively describe Telegram UI patterns and how to call the platform's `message` tool. No unrelated binaries, env vars, or install steps are requested.
Instruction Scope: noteThe instructions stay within Telegram messaging features (buttons, quick replies, media, edit/delete, reactions). They explicitly recommend sending local files (e.g., /tmp/report.pdf) and recommend using monospace blocks for IDs/tokens to make them easy to copy — this is coherent for a Telegram UI guide but raises an operational caution: following the 'monospace for tokens' advice can lead to accidental exposure of secrets if the bot or operator posts sensitive credentials into chats.
Install Mechanism: okInstruction-only skill with no install spec and no code files. Nothing is written to disk by the skill itself.
Credentials: okThe skill declares no required environment variables or credentials. Its metadata notes it requires the Telegram plugin, which is appropriate. (The Telegram plugin itself will require channel credentials, but those are not requested by this skill.)
Persistence & Privilege: okalways is false and the skill does not request persistent system changes or to modify other skills. It only provides runtime guidance for message composition and use of the platform's message tooling.