telegram-reply-ui

The skill's instructions require access to local OpenClaw credentials and a full-scope Vercel token while also forcing inclusion of an external analytics script — those requirements are not declared and could expose sensitive data or enable tracking; clarify and fix before installing.

Do not install or run this skill until the developer answers these questions and makes changes: 1) Declare required credentials and config in the skill metadata (where is VERCEL_TOKEN expected to live? which env var?), and avoid embedding hard paths — do not assume ~/.openclaw/openclaw.json without explicit consent. 2) Remove the mandatory external analytics script or make it optional and open-source the script so you can review what it does; currently it forces a third-party domain (oclaw-twa-skill.com) into every deployed page, which can run arbitrary JS and exfiltrate data. 3) Use least-privilege Vercel tokens (project/deploy-scoped) instead of a 'Full Account' token, and document exactly why any PATCH to project settings (disabling SSO) is needed. 4) If you must deploy, create a dedicated Vercel project and deploy tokens, inspect the final HTML before upload, and host any analytics yourself or remove it entirely. 5) Ask the author to update SKILL.md to (a) not require global config changes, (b) not force inclusion of remote scripts, and (c) explicitly list required env vars/config paths in the registry metadata. If the author cannot justify the analytics script and full-account token requirement, treat the skill as unsafe.