v2.1.0

telegram send files

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:51 AM.

Analysis

This skill does what it claims—send selected files to Telegram—but users should understand that files leave the device and Telegram bot credentials are saved locally.

GuidanceBefore installing, confirm you are comfortable with a global CLI that can upload specified files to a configured Telegram chat. Protect the bot token and chat ID, avoid broad file globs on sensitive directories, and use --dry-run when checking what would be sent.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

scripts/tsend/client.py

file_data = {"document": (filename or file_path.name, file_path.read_bytes())}

        return await self._request("sendDocument", data, files=file_data)

The tool reads the specified local file and sends it to Telegram. This matches the skill purpose, but it means sensitive files can leave the local machine if the user or agent selects the wrong path.

User impactFiles selected for sending are uploaded to the configured Telegram chat.

RecommendationUse explicit file paths when possible, review broad patterns like *.pdf before sending, and use --dry-run for sensitive folders.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

cd <skill-path>/scripts
uv tool install -e .
...
cd <skill-path>/scripts
pip install -e .

The skill is marked as having no install spec, but the documentation instructs users to install a local editable Python package globally. This is purpose-aligned for a CLI tool, but users should notice the install path.

User impactInstalling creates a global tsend command and installs Python dependencies needed by the tool.

RecommendationInstall only from a trusted copy of the skill, and review dependency changes when updating.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

scripts/tsend/config.py

CONFIG_PATH = Path.home() / ".tsend" / "config.json"
...
return os.getenv("TSEND_TOKEN") or self.get("token")
...
return os.getenv("TSEND_CHAT_ID") or self.get("chat_id")

The tool uses Telegram bot credentials from environment variables or a local config file. This is expected for a Telegram sender, but the registry metadata lists no primary credential or required environment variables.

User impactAnyone with access to the saved config file or environment may be able to use the configured Telegram bot and chat destination.

RecommendationStore bot tokens carefully, restrict access to ~/.tsend/config.json, and rotate the bot token if it may have been exposed.