Subdomain Bot Config

v0.2.0

Set up a custom domain and Telegram Bot for a Mobazha store. Use when the user wants to configure DNS, TLS, or a Telegram Mini App storefront.

⭐ 0· 121·0 current·0 all-time

by@fengzie

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for fengzie/mobazha-subdomain-bot-config.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Subdomain Bot Config" (fengzie/mobazha-subdomain-bot-config) from ClawHub.
Skill page: https://clawhub.ai/fengzie/mobazha-subdomain-bot-config
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install mobazha-subdomain-bot-config

ClawHub CLI

Package manager switcher

npx clawhub@latest install mobazha-subdomain-bot-config

Security Scan

Capability signals

CryptoCan make purchases

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

✓

Purpose & Capability

Name/description (domain + Telegram bot setup for a Mobazha store) align with the commands and steps in SKILL.md (DNS records, mobazha-ctl, mobazha start, BotFather flow). The requested capabilities are proportional to the stated purpose (no unrelated credentials or binaries are requested).

Instruction Scope

SKILL.md instructs executing network-fetched install commands (curl -sSL https://get.mobazha.org/standalone | sudo bash -s -- --domain ...) and running admin commands that require elevated privileges. There is no guidance to verify the downloaded script (no checksum or signature), and though the doc says to ask for explicit consent before accepting tokens, it leaves agent behavior open-ended. These instructions give broad authority to execute remote code and handle secrets, which is out-of-band risk for an instruction-only skill.

Install Mechanism

There is no formal install spec, but the documented installation method (pipe a remote script into sudo bash from get.mobazha.org) is equivalent to downloading and executing arbitrary code from the network without checksum/signature. Even if get.mobazha.org is the project's host, lack of verification and use of a single-line pipe makes the flow a high-risk install mechanism.

ℹ

Credentials

The skill does not request environment variables or credentials in metadata (proportionate). However, the runtime instructions expect the operator/agent to accept and use a BotFather token for configuration. The doc warns not to store or transmit tokens, but there is no technical enforcement; users/agents might be asked to paste tokens into chat or run commands that consume them. This is a potential sensitive-data handling risk even though no env vars are declared.

✓

Persistence & Privilege

The skill is user-invocable and not always-on; it does not request persistent privileges or modification of other skills' configs. There is no install-time persistence declared by the skill itself. The only persistence risk arises from the remote installer it recommends (which could write long-lived services on the host).

What to consider before installing

This skill appears to do what it says (set up DNS/TLS and connect a Telegram bot), but exercise caution before running any of the commands. Key risks and actions: - Avoid piping unknown scripts to sudo bash. Instead, download the installer, inspect it, and verify checksums/signatures (ask the vendor for release hashes) before executing. Consider running it in an isolated VM or container first. - Confirm you trust get.mobazha.org (project homepage or repository) — the skill metadata lacks a source/homepage. Ask the publisher for a canonical repository or release page. - Do not paste BotFather tokens or other secrets into untrusted chat windows. If an agent asks you for a token, prefer manual entry into the store admin panel rather than sharing it in conversation. - If you must use this skill, ask the maintainer for safer installation options (package with checksums, signed releases, or an audited installer) and clear instructions for secure token handling. If you want, I can: (a) produce a safer install checklist you can follow, (b) draft specific verification steps to validate the installer, or (c) suggest exact questions to ask the skill author/maintainer before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ebgsfg8xj0jbp02edz7aw4x85b6vr

121downloads

0stars

2versions

Updated 5d ago

v0.2.0

MIT-0

Subdomain & Telegram Bot Configuration

Set up a custom domain for your Mobazha store and connect a Telegram Bot for your storefront Mini App.

Part A: Custom Domain Setup

For Docker Standalone Stores

If you deployed with the Docker standalone installer:

Option 1: Set domain during installation

curl -sSL https://get.mobazha.org/standalone | sudo bash -s -- --domain shop.example.com

Option 2: Add domain to an existing store

Point your domain's DNS A record to the VPS IP address
Wait for DNS propagation (usually 1-5 minutes)
Run:

mobazha-ctl set-domain shop.example.com

The store automatically obtains a TLS certificate from Let's Encrypt.

For Native Binary Stores

Start (or restart) with the domain flag:

mobazha start --domain shop.example.com

DNS Setup

At your domain registrar (Cloudflare, Namecheap, GoDaddy, etc.), create an A record:

Type	Name	Value	TTL
A	shop (or @)	`<VPS_IP>`	Auto / 300

If using a subdomain like shop.example.com, the "Name" field should be shop. If using the root domain example.com, the "Name" field should be @.

Verify

After DNS propagation:

# Check DNS resolution
dig +short shop.example.com

# Check HTTPS
curl -sI https://shop.example.com | head -5

Part B: Telegram Bot Setup

Mobazha stores can be accessed as a Telegram Mini App via a Telegram Bot. This lets buyers browse and purchase directly inside Telegram.

Step 1: Create a Bot with BotFather

Open Telegram and message @BotFather
Send /newbot
Choose a display name (e.g., "My Store")
Choose a username (e.g., my_store_bot) — must end with bot
BotFather will reply with a Bot Token — save it securely

Step 2: Configure the Mini App URL

Tell BotFather where your store frontend lives:

Send /mybots to BotFather
Select your bot
Choose Bot Settings → Menu Button
Set the URL to your store:
- SaaS store: https://app.mobazha.org/tma?store=<your-peer-id>
- Standalone store: https://shop.example.com/tma

Step 3: Configure the Bot in Your Store

In your store admin panel:

Go to Admin → Settings → Telegram
Enter the Bot Token from BotFather
Save

This enables:

Order notifications in Telegram
Buyer can message you through the bot
Mini App storefront accessible via the bot's menu button

Step 4: Set Bot Description & Photo

Back in BotFather:

Send /mybots → select your bot
Edit Bot → Edit Description: describe your store
Edit Bot → Edit About Text: short store summary
Edit Bot → Edit Botpic: upload your store logo

Step 5: Share Your Bot

Your Telegram storefront is now live at:

https://t.me/<bot_username>

Share this link anywhere — buyers tap the menu button to open your Mini App store.

Credential Handling

Ask for explicit user consent before connecting to any server or entering credentials
If the user shares a BotFather token, use it only for the immediate configuration task
Never store, log, or display credentials after use
Remind the user to keep tokens and passwords private
The agent must not transmit credentials to any party other than the intended target

Comments

Loading comments...