ClawHub

Telegram Analyzer

Search and manage your SaaS Telegram contacts, view recent messages, and update contact stages, tags, or add notes.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 150 · 0 current installs · 0 all-time installs
by@samuewalton
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and description advertise three tools (search_contacts, get_recent_messages, contact_action) and full contact/message management. The included code only implements a single tool (search_contacts). The code also hardcodes a BACKEND_URL and AGENT_TOKEN which are not declared as required credentials or config — this is disproportionate and inconsistent with the stated requirements.
!
Instruction Scope
Runtime instructions refer to tools that are not implemented (get_recent_messages and contact_action). If the agent follows SKILL.md it may attempt to call tools that don't exist, causing failures or unexpected behavior. The SKILL.md scope itself is limited to contact/message operations and does not authorize reading system files, but the mismatch between doc and code is a problem.
Install Mechanism
No install spec is present (instruction-only plus a small code file). Nothing is downloaded or extracted during install, so there is no additional install-time risk.
!
Credentials
The code embeds a sensitive-looking token (AGENT_TOKEN = "sk_agent_openclaw_dev_12345") and a backend URL (http://localhost:8001/api/v1/agent) but the skill declares no required env vars or credentials. Hardcoding a token and not declaring it is incoherent and increases risk — the skill will send queries (and potentially other data if expanded) to the hardcoded endpoint using that token.
Persistence & Privilege
The skill does not request elevated persistence (always:false). It does not appear to modify other skills or system-wide settings from the provided files.
Scan Findings in Context
[hardcoded-agent-token] unexpected: index.js contains a hardcoded AGENT_TOKEN and BACKEND_URL. A Telegram contact-management skill should either declare required credentials or accept them from environment/config; embedding a token in code is unexpected and risky.
What to consider before installing
This skill is inconsistent and contains an embedded token and backend URL that were not declared. Do not install or grant it access until the author explains and fixes these issues: 1) implement all advertised tools or update the SKILL.md to match actual behavior; 2) remove hardcoded secrets and require the token/URL via environment variables or documented config; 3) explain what the backend at http://localhost:8001 is and confirm it is trusted (and verify the token is not a real secret). If you must test, run it in an isolated environment and inspect network calls to ensure no unexpected data leaves your system.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk979dtkzfned7f1m916vm68z4d82d8yf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Telegram Analyzer Skill

Access and manage your SaaS contacts and messages.

Tools

search_contacts

Search for contacts by name, phone, or username.

  • query (string, required): The search term.

get_recent_messages

Get the 10 most recent incoming messages.

contact_action

Update contact stage, tags, or add notes.

  • contact_id (string, required): Contact UUID.
  • action (string, required): "update_stage", "add_tag", or "add_note".
  • value (string, required): The new value.

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…