miso
ReviewAudited by ClawScan on May 10, 2026.
Overview
MISO is mostly a Telegram progress-display skill, but it needs review because it can use a local Telegram bot token and is specified to post mission updates to a fixed Telegram channel.
Before installing, confirm that channel auto-posting is disabled or changed to your own Telegram channel, use a dedicated low-privilege bot token, review any helper scripts before running them, and check the local .miso-state.json file if you need to clear stored mission state.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Mission names, summaries, and key results could be posted to a Telegram channel the user did not intend to use.
The specification routes mission descriptions and completion key insights to a fixed Telegram channel, but the reviewed artifacts do not show a user-selected destination or explicit approval before posting.
Auto-post mission start/complete notifications to @MIYABI_CHANNEL (chatId: -1003700344593).
Disable channel broadcasts by default, make the channel ID user-configurable, and require an explicit confirmation showing exactly what will be posted.
If run, the helper can act through the configured Telegram bot account to modify chats, using credentials that are not clearly declared during installation.
The helper reads a Telegram bot token from a hard-coded local OpenClaw config path, while the registry metadata declares no primary credential or required config path.
CONFIG_PATH = "/Users/shunsukehayashi/.openclaw/openclaw.json" ... return json.load(f)["channels"]["telegram"]["botToken"]
Declare the Telegram bot credential requirement, use a user-configurable env var or config path, document required bot permissions, and recommend a dedicated low-privilege bot token.
The bot may change visible Telegram chat state, including pinned messages and progress-message contents.
The Telegram helper can pin, unpin, send GIFs, and edit existing Telegram messages. This is aligned with the skill purpose, but it is still mutation authority over chats.
return _api_call("pinChatMessage", chat_id, message_id) ... return _api_call("unpinChatMessage", chat_id, message_id) ... /sendAnimation ... /editMessageMediaUse the skill only with chats where the bot should have pin/edit/send permissions, and review message targets before invoking helper actions.
Mission IDs, chat IDs, and status metadata may remain on disk and influence future Telegram board updates.
The design persists mission board state and includes automatic archive/unpin behavior. This is purpose-aligned, but it creates continuing local state that can affect later mission updates.
Storage Location: ~/.openclaw/workspace/skills/mission-control/.miso-state.json ... Daily Archive Rules ... Unpin master ticket ... Reset .miso-state.json
Document retention clearly, provide a reset/disable option, and keep the state file scoped to this skill’s own directory.
A user may be unable to follow the setup instructions or may look for and run an unreviewed script from elsewhere.
The README tells users to run a PowerShell setup script, but that script is not present in the provided manifest, creating an incomplete review/provenance gap for that setup path.
pwsh .\scripts\set-telegram-commands.ps1 -BotToken "<YOUR_TELEGRAM_BOT_TOKEN>"
Include the referenced script in the package or remove the command, and declare any required runtime dependencies and setup steps in metadata.