Notify Bot
v1.0.0Send task notifications to specified Telegram bots in a group to activate their sessions and trigger bot actions.
⭐ 0· 394·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (notify Telegram bots in a group to activate their sessions) matches the included shell script and SKILL.md. The script posts to the Telegram API using bot tokens and message/thread parameters, which is exactly the stated purpose.
Instruction Scope
SKILL.md and the script instruct the agent to read bot tokens via a local keychain helper (~/.openclaw/tools/keychain.sh) and to run a shell script located at ~/.openclaw/shared/notify_bot.sh. The instructions do not attempt to read unrelated files or contact endpoints other than api.telegram.org, but they implicitly rely on a local keychain helper being present and trusted.
Install Mechanism
No install spec (instruction-only + included script). Nothing downloads arbitrary code from the network. The script will be placed under ~/.openclaw/shared as documented; this is a normal, low-risk install pattern for an instruction-only skill.
Credentials
No environment variables are declared, and no primary credential is listed, yet the script reads secret bot tokens via a local keychain helper (keys named openclaw.telegram.<bot>.bot_token and openclaw.telegram.vision.token). Accessing Telegram bot tokens is proportionate to the skill's purpose, but the use of a keychain helper and undisclosed local config paths should have been declared as required resources. Also the script uses curl and jq but those binaries are not declared as required.
Persistence & Privilege
The skill is not always-enabled and does not request elevated system-wide privileges. It provides a script under ~/.openclaw/shared and exposes a script path in skill.json, which is normal. Autonomous invocation is allowed (platform default) but not combined with other high-risk indicators.
Assessment
This skill appears to do what it says: it posts messages to Telegram groups to trigger bot sessions. Before installing, verify the following: (1) confirm ~/.openclaw/tools/keychain.sh exists and is from a trusted source — the script invokes that helper to retrieve your bot tokens; if that helper is malicious or compromised it could leak secrets; (2) ensure you are okay with the skill posting visible messages into the target group/topic (messages are not deleted); (3) ensure curl and jq are available on the host (script uses them but doesn't declare them); (4) verify the bot tokens stored under openclaw.telegram.* are limited to the bots you intend to notify and rotate tokens if you have concerns. If any of these points are not acceptable, review or modify the script to meet your security requirements before use.Like a lobster shell, security has layers — review code before you run it.
botvk978whg9zw02x4fhk1dh3bgwfx824ct2latestvk978whg9zw02x4fhk1dh3bgwfx824ct2notificationvk978whg9zw02x4fhk1dh3bgwfx824ct2telegramvk978whg9zw02x4fhk1dh3bgwfx824ct2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.