ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CommunityOS Telegram Bot

v1.0.1

Manage Telegram bots with unified LLM settings, add text knowledge bases, enable auto replies, and control direct messaging without group setup.

0· 14·0 current·0 all-time
by@pandarey0130-lab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (Telegram bot management + LLM) matches the code and UI, but the registry declares no required environment variables or credentials while SKILL.md and the source code explicitly expect Telegram tokens and multiple LLM API keys (examples: TELEGRAM_BOT_TOKEN_PANDA, MINIMAX_API_KEY, CLAUDE_API_KEY). That is an inconsistency: a bot manager legitimately needs these secrets, so they should be declared in metadata.
Instruction Scope
SKILL.md instructs you to run admin/app.py and to create/edit a .env with Telegram and LLM keys and to paste tokens into the UI. Those instructions are within the stated purpose, but they also direct the agent/operator to store sensitive secrets locally and to run a local web UI that will persist data in the skill workspace. The SKILL.md and README also recommend installing requirements, but the registry provided no install spec — another mismatch.
Install Mechanism
There is no install spec in the registry (instruction-only), yet source includes requirements.txt and README install guidance. The code will likely require pip installing packages; missing an install spec is a packaging/integrity issue but not necessarily malicious. No high-risk remote download URLs are present.
!
Credentials
The manifest claims no required env vars, but the code and SKILL.md rely on multiple environment keys (Telegram tokens, provider API keys). Bot configs use env var names as placeholders and lite.html notes API keys get stored locally. This is disproportionate to the registry declaration and increases risk if users aren't warned. In addition, bot configs include external API endpoints for scheduled broadcasts (e.g., api.example.com), meaning the service will make outbound network calls.
Persistence & Privilege
The skill does not request 'always: true' and does not declare system-wide privileges. It runs a local FastAPI service and writes JSON and knowledge files under its workspace (admin/data, knowledge/, chroma_db). That local persistence is expected for this purpose, but it does mean tokens/keys saved via UI or .env will be stored on-disk in the skill workspace.
What to consider before installing
Key things to consider before installing: (1) The registry metadata omits required secrets but SKILL.md and the code expect Telegram bot tokens and multiple LLM API keys — treat these as required and do not reuse high-privilege credentials. (2) The package runs a local web server (http://localhost:8878/lite) that will store tokens and knowledge in the skill workspace; store the workspace in a controlled location and audit files (admin/data, .env) after use. (3) The code imports modules not present in the package or requirements (notably harness.core, knowledge_base.loader and some llm modules), so runtime behavior depends on additional, unspecified components — ask the author which packages or internal modules are required or inspect/lock their sources. (4) The bot can fetch external endpoints configured in broadcasts or LLM providers; review any API endpoints before enabling scheduled tasks. (5) If you will run this on a machine with sensitive files, avoid pointing the knowledge folder at arbitrary system paths — the skill reads files from configured knowledge folders and could access local documents if misconfigured. Recommended actions: verify/declare required env vars in metadata, run in an isolated environment (container/VM), inspect missing dependencies and add only trusted providers, and audit persistence (where tokens are stored) before using in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk977a98j072zv7pm6y060p0grs845875

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

CommunityOS Telegram Bot Skill

Simple Telegram Bot management without group configuration.

Features

  • 🤖 Bot Management - Create, edit, delete Telegram bots
  • 🔑 Global LLM Config - Unified LLM settings for all bots (MiniMax, OpenAI, Anthropic, DeepSeek)
  • 📚 Text Knowledge Base - Paste text directly, bot answers within knowledge scope
  • 💬 Auto Reply - Bot auto-replies in groups without group config
  • 🔒 DM Control - Toggle Allow DM to control private chat

Quick Start

cd ~/.openclaw/workspace/skills/community-os
source venv/bin/activate
python admin/app.py

Then visit: http://localhost:8878/lite

Usage Flow

  1. Go to @BotFather → Create bot → Copy token
  2. Paste token in Lite → Save
  3. (Optional) Paste knowledge text
  4. Invite bot to Telegram group → Done!

Configuration

Edit .env file:

TELEGRAM_BOT_TOKEN_PANDA=your_token_here
MINIMAX_API_KEY=your_key_here

LLM Providers

ProviderDefault ModelNotes
MiniMaxMiniMax-2.7Free tier
OpenAIGPT-4oPaid
AnthropicClaude 3.5 SonnetPaid
DeepSeekDeepSeek ChatCheap

Files

  • admin/app.py - FastAPI backend
  • admin/lite.html - Simple UI
  • bot_engine/ - Bot runtime engine
  • config/ - Configuration files

Files

11 total
Select a file
Select a file to preview.

Comments

Loading comments…