Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
CommunityOS Lite
v1.2.8Runs and extends CommunityOS Lite — local FastAPI admin, Lite UI at /lite, multi-bot Telegram polling via telegram_runner, global LLM config, and per-bot tex...
⭐ 0· 11·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md implement a local Telegram runner + LLM integration consistent with the description. However the registry metadata at the top lists no required env vars while SKILL.md and _meta.json clearly require Telegram and LLM keys (e.g., TELEGRAM_BOT_TOKEN, MINIMAX_API_KEY). That mismatch (declared 'none' vs actual needs) is an incoherence that could mislead users about required secrets.
Instruction Scope
Runtime instructions are narrowly scoped to starting the local FastAPI app (python admin/app.py), copying .env.example, and using the Lite UI. The SKILL.md explicitly warns not to expose the port. The instructions and code read .env and admin/data/*.json for tokens and LLM config; they do not add unexpected network endpoints beyond Telegram and LLM provider APIs. However the app intentionally allows an unprotected /lite UI by default and the code bypasses formal auth in require_auth (returns 'admin'), which is a security-relevant behavior documented in the SKILL.md but important to surface.
Install Mechanism
No install spec is provided (instruction-only install), and the package includes Python code and requirements.txt. There are no opaque download URLs or archive extracts in the install metadata. Because code files are present, running the app will write/modify local JSON files and start subprocesses, but that is consistent with the stated local service purpose.
Credentials
The project legitimately needs Telegram and LLM credentials (per SKILL.md and _meta.json) and reads many possible env var names (MINIMAX_API_KEY, TELEGRAM_BOT_TOKEN, per-BOT env variables like {BOT_ID}_TOKEN). But the top-level registry metadata showing 'no required env vars' is inconsistent. The app also auto-loads a local .env file into os.environ at startup, which may pick up unrelated credentials if present. Token/keys are stored in admin/data/*.json by design (gitignored typically) — this is proportional for a local admin but increases risk if users accidentally commit or expose those files.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. The FastAPI app will spawn a telegram_runner subprocess on startup (lifespan context) which is expected for the described single-process runner. Autonomous model invocation is default but not an additional unexpected privilege here.
What to consider before installing
This package is a coherent local Telegram+LLM admin but treat it as sensitive: 1) Expect to provide Telegram tokens and an LLM API key (TELEGRAM_BOT_TOKEN, MINIMAX_API_KEY or provider-specific keys) even though the registry header incorrectly said none. 2) Run only on a trusted machine or localhost (the UI is intentionally unprotected by default and require_auth is effectively bypassed). If you must expose it to other hosts, add authentication or a reverse proxy. 3) Keep .env and admin/data/*.json out of version control (they are gitignored in the repo but double-check before committing). 4) Review admin/app.py behavior (it loads .env into os.environ and auto-spawns the telegram_runner subprocess), and confirm you are okay with the service making outbound calls to Telegram and chosen LLM providers. 5) If you need this skill on a shared host, either harden login (enable LITE_PASSWORD and implement proper auth) or avoid installing it. Finally, resolve the metadata mismatch with the publisher (which env vars are required) before trusting automated install workflows.Like a lobster shell, security has layers — review code before you run it.
aivk97bmtdntempjfrwwzscsr1jw984jcmwbotvk97bmtdntempjfrwwzscsr1jw984jcmwlatestvk97847w5q8wmvg31wxw8egd5ax84jar0llmvk97bmtdntempjfrwwzscsr1jw984jcmwopen-sourcevk97bmtdntempjfrwwzscsr1jw984jcmwtelegramvk97bmtdntempjfrwwzscsr1jw984jcmw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.