ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Telegram-Bot-managerj

Manage and secure local high-privilege storage serving workflows. Use when creating, starting, stopping, or hardening a full-drive file server and related op...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 393 · 0 current installs · 0 all-time installs
bymanlight@manlight87
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's published name/slug (Telegram-Bot-managerj / telegrambot) and the short description in the registry do not match the included files, which implement a 'God Mode Manager' local file server. That mismatch is a red flag: either the metadata is incorrect or the package was repurposed/mislabelled. The actual capability (serving the system root, listing and returning files) is plausible for a 'local storage manager' but is unexpected given the registry name.
Instruction Scope
SKILL.md and the runtime script are consistent with each other: the instructions tell the agent to run node scripts/server.cjs and to bind and require a token. The server implements listing, reading (with a small-size read endpoint) and full downloads under a configured ROOT. That behavior matches the stated operational purpose (manage/harden local storage), but the default ROOT is the system drive (C:\) and the README relies on operator discipline (bind to loopback, require token). This grants broad access to sensitive files if misconfigured.
Install Mechanism
There is no install script or external download; the skill is instruction-only plus included code files. Nothing is pulled from external URLs or installed automatically, which minimizes supply-chain risk. The code is plain JS included in the bundle.
!
Credentials
The registry metadata lists no required environment variables or primary credential, yet the code and SKILL.md rely on several environment variables (GOD_MODE_ROOT, GOD_MODE_HOST, GOD_MODE_PORT, GOD_MODE_TOKEN, GOD_MODE_TOKEN_REQUIRED, GOD_MODE_MAX_READ_BYTES). In particular GOD_MODE_TOKEN is required by default (the process will exit if missing). The absence of declared required env vars in metadata is an inconsistency that hides the need for a secret token and the risk of exposing sensitive data if defaults are used.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system settings. However, running it gives the process access to the configured root (default: entire system drive). That is a high-privilege capability at runtime — dangerous if started unintentionally or with inadequate authentication/binding.
What to consider before installing
Do not install or run this skill without verification. Specific points to consider: - Metadata/name mismatch: the package is labeled as a Telegram-related skill but contains a 'God Mode Manager' file server — ask the publisher for clarification or source provenance. - Hidden env vars: the bundle expects GOD_MODE_TOKEN and other env vars even though the registry declares none — set a strong token and verify the skill will not run without it. - Dangerous defaults: the default root is C:\ (full system drive). If you must run this, change GOD_MODE_ROOT to a minimal directory and ensure GOD_MODE_HOST is 127.0.0.1 and token auth is enabled. - Least privilege: do not run as an elevated user; run inside an isolated environment (sandbox, VM, container) for testing and audit which files are served. - Audit the code: review scripts/server.cjs (provided) and test in a safe environment before exposing any network binding. If you don't trust the source or cannot verify the author, do not run it on production or sensitive hosts. If the publisher can explain the naming/metadata discrepancy and update the registry to declare the required env vars and safer defaults, the risk would be reduced.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk976egdcs1rwazy9h17k4sysan81n2jglatestcvk976egdcs1rwazy9h17k4sysan81n2jg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

God Mode Manager

Use this skill to operate a hardened local storage manager.

Start Point

  1. Confirm target root path and port.
  2. Confirm auth token strategy.
  3. Run server script in scripts/.
  4. Validate local-only reachability and auth.

Default Run Command

node scripts/server.cjs

Runtime Environment

  • GOD_MODE_ROOT: root path to expose (default C:\).
  • GOD_MODE_HOST: bind host (default 127.0.0.1).
  • GOD_MODE_PORT: bind port (default 8888).
  • GOD_MODE_TOKEN: access token.
  • GOD_MODE_TOKEN_REQUIRED: true by default.

Operational Rules

  • Keep server bound to loopback unless explicitly required.
  • Require token auth for non-debug usage.
  • Refuse path traversal outside configured root.
  • Prefer structured JSON listings for automation.

Files

  • scripts/server.cjs: server implementation.
  • references/ops.md: ops notes and runbook.

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…