Signallink
ReviewAudited by ClawScan on May 10, 2026.
Overview
SignalLink mostly matches its purpose, but one webhook endpoint can let outsiders send arbitrary messages to your Telegram chat without checking the configured secret.
Review before installing. If you use it, set a webhook secret, patch /webhook/raw to require the same secret, use HTTPS or a trusted reverse proxy, restrict access to port 8000, protect the Telegram bot token, and verify the missing Docker setup files before running.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can reach the server could spam the configured Telegram chat or send fake-looking trading alerts through the user's bot.
The raw endpoint accepts a request body and sends it to Telegram without taking or validating X-Webhook-Secret; the main /webhook endpoint has a secret check, but this endpoint bypasses it.
@router.post("/webhook/raw")
async def receive_raw_webhook(request: Request): ... message = format_raw(payload)
await send_message(message)Require WEBHOOK_SECRET validation on every POST endpoint, reject missing secrets in production, add rate limiting, and expose the service only behind HTTPS/firewall controls.
If the bot token is exposed or reused elsewhere, someone could control that Telegram bot's messaging ability.
The Telegram bot token and chat ID are required for the stated Telegram integration and are used to send messages as the user's bot.
Ask for their `TELEGRAM_BOT_TOKEN` and `TELEGRAM_CHAT_ID` if not already set
Use a dedicated Telegram bot for this service, store the token only in a local .env or secret manager, and rotate the token if it is ever shared or logged.
Docker setup may fail or users may be tempted to fetch missing files from outside the reviewed artifact set.
Docker Compose expects a local Docker build context, but the supplied manifest does not include a Dockerfile even though the documentation references one.
services:
webhook-router:
build: .Verify the repository contents before running Docker, and prefer a reviewed package that includes all referenced setup files.
Alert contents may be visible to anyone with access to server, container, or centralized logs.
Incoming webhook payloads are written to application logs, which may retain trading strategy details or other custom alert data.
logger.info(f"Received webhook payload: {payload}")Do not include secrets in webhook payloads, and consider redacting or disabling full-payload logging in production.
The webhook listener may continue accepting requests until explicitly stopped.
The service is configured to keep running and listening on port 8000 after it is started, which is normal for a webhook router but creates persistent exposure.
ports:
- "8000:8000"
restart: unless-stoppedRun it only where intended, stop it when not needed, and restrict inbound access to trusted webhook sources where possible.