ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Screenshot Telegram Direct

v1.0.0

Capture website screenshots and send to Telegram via direct API. Works around OpenClaw's broken image delivery (issue

0· 68·0 current·0 all-time
by@niccoreyes

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for niccoreyes/screenshot-telegram-direct.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Screenshot Telegram Direct" (niccoreyes/screenshot-telegram-direct) from ClawHub.
Skill page: https://clawhub.ai/niccoreyes/screenshot-telegram-direct
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: curl
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install screenshot-telegram-direct

ClawHub CLI

Package manager switcher

npx clawhub@latest install screenshot-telegram-direct
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The script and SKILL.md both implement capturing a website via an external screenshot API and posting to Telegram — this matches the advertised purpose. However the registry metadata lists no required environment variables, while both SKILL.md and screenshot-send.sh require three secrets (TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, SNAP_API_KEY). That mismatch between declared requirements and actual runtime needs is a material incoherence.
Instruction Scope
Runtime instructions and the script only call the snapshot service (snap.llm.kaveenk.com) and Telegram API (api.telegram.org), and write a temporary file in /tmp which is removed on success. These actions are within the stated purpose. The docs do recommend auto-sourcing a .env from the skill directory into the user's shell profile (~/.bashrc / ~/.zshrc), which broadens scope by making secrets available to every shell session — this is a potentially risky recommendation and should be optional and clearly explained.
Install Mechanism
No install spec; this is an instruction-only skill with a single helper script. Installation is limited to copying .env, making the script executable, and optionally adding a cron entry — nothing is downloaded or written by an automated installer.
!
Credentials
The skill requires three sensitive environment values (TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, SNAP_API_KEY) but the registry metadata advertises none. SNAP_API_KEY is sent to an external domain (snap.llm.kaveenk.com) — trust in that service is required because it will receive the URL and any content necessary to produce screenshots. Recommending global auto-sourcing of .env increases the blast radius if those secrets are compromised.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system settings. The only persistent change the docs suggest is editing a shell profile to auto-load the .env, which is a user action (not automatic) but exposes secrets to all shell sessions if applied.
What to consider before installing
Key points before installing: (1) Metadata inconsistency — the registry says no env vars but the script requires TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, and SNAP_API_KEY. Treat that as a red flag and verify with the author. (2) The script sends the SNAP_API_KEY and the target URL to snap.llm.kaveenk.com; confirm you trust that third party (or run your own screenshot service). (3) Avoid automatically sourcing .env from ~/.bashrc unless you understand the risk of exposing tokens to all shells; prefer sourcing manually per session or using a constrained wrapper. (4) Keep .env out of version control, rotate tokens after testing, and test with a throwaway bot/chat and a non-sensitive URL. (5) If you need higher assurance, ask the publisher for a homepage or source repository, or replace the external snap endpoint with a known/trusted service or self-hosted screenshot tool.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binscurl
latestvk974fyxvsnkgjkjjnvb1pn0djd84fv2k
68downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@niccoreyes
latest
Download

Screenshot → Telegram (Direct)

Capture website screenshots and send them to Telegram, bypassing OpenClaw's broken image delivery pipeline.

Quick Start

# 1. Setup environment
cp .env.example .env
# Edit .env with your tokens

# 2. Run the helper script
./screenshot-send.sh https://github.com

Setup

1. Get API Credentials

Telegram Bot Token:

  • Message @BotFather
  • Send /mybots → Select bot → Copy API token

Telegram Chat ID:

Snap API Key:

# Register for free API key
curl -s -X POST https://snap.llm.kaveenk.com/api/register \
  -H "Content-Type: application/json" \
  -d '{"name":"my-agent"}'
# Save the "key" from response

2. Configure

cp .env.example .env
# Edit .env:
# TELEGRAM_BOT_TOKEN=your_token
# TELEGRAM_CHAT_ID=your_chat_id
# SNAP_API_KEY=your_snap_key

# Source it (temporary)
source .env

3. Auto-Load .env (Recommended for OpenClaw)

Option A: Add to shell profile (always available)

Add to ~/.bashrc or ~/.zshrc:

# Auto-load screenshot-telegram-direct env vars
SKILL_DIR="$HOME/.openclaw/workspace/skills/screenshot-telegram-direct"
if [ -f "$SKILL_DIR/.env" ]; then
    export $(grep -v '^#' "$SKILL_DIR/.env" | xargs)
fi

Then reload: source ~/.bashrc

Option B: Source before each OpenClaw session

In your OpenClaw workspace, create load-env.sh:

#!/bin/bash
source "$HOME/.openclaw/workspace/skills/screenshot-telegram-direct/.env"
echo "✅ Environment loaded from screenshot-telegram-direct/.env"

Run before using: source load-env.sh

Option C: Modify screenshot-send.sh to auto-source

The script already checks for env vars. To auto-source .env if it exists, add at the top:

# Auto-source .env if it exists in script directory
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
if [ -f "$SCRIPT_DIR/.env" ]; then
    source "$SCRIPT_DIR/.env"
fi

3. Make Script Executable

chmod +x screenshot-send.sh

Usage

Basic screenshot

./screenshot-send.sh https://example.com

Custom caption

./screenshot-send.sh https://github.com "Latest PR status"

Multiple URLs

for url in "https://github.com" "https://news.ycombinator.com"; do
  ./screenshot-send.sh "$url"
  sleep 2
done

Configuration Options

Snap API Options

Edit screenshot-send.sh to customize:

# Full page screenshot
curl -s -X POST "https://snap.llm.kaveenk.com/api/screenshot" \
  -H "Authorization: Bearer $SNAP_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "'$URL'",
    "full_page": true,
    "width": 1920,
    "height": 1080,
    "dark_mode": true,
    "wait_ms": 2000
  }' \
  -o "$OUTPUT_FILE"
OptionDescription
full_pageCapture entire scrollable page
width/heightViewport size
dark_modeEmulate dark color scheme
wait_msWait for JS rendering
formatpng or jpeg

Send as Document (No Compression)

Replace sendPhoto with sendDocument in the script:

curl -s -X POST \
  -F "chat_id=$CHAT_ID" \
  -F "document=@$OUTPUT_FILE" \
  -F "caption=$CAPTION" \
  "https://api.telegram.org/bot$TOKEN/sendDocument"

Automation (Cron)

# Daily dashboard screenshot
0 9 * * * cd /home/pi/.openclaw/workspace/skills/screenshot-telegram-direct && ./screenshot-send.sh https://status.example.com

# Hourly monitoring
0 * * * * cd /home/pi/.openclaw/workspace/skills/screenshot-telegram-direct && ./screenshot-send.sh https://uptime.example.com

File Structure

screenshot-telegram-direct/
├── SKILL.md              # This documentation
├── .env.example          # Template for env vars
├── .env                  # Your secrets (gitignored)
├── .gitignore            # Excludes .env
└── screenshot-send.sh    # Main script

Security

  • .env is gitignored — never commit secrets
  • .env.example shows required variables without values
  • ✅ Script fails if env vars are missing
  • ✅ No hardcoded credentials

Troubleshooting

IssueFix
Missing environment variablesCheck .env exists and is sourced
Failed to capture screenshotCheck SNAP_API_KEY is valid
chat not foundVerify TELEGRAM_CHAT_ID
bot was blockedSend /start to bot in Telegram

Why Not Use OpenClaw Native?

See OpenClaw issue #63137: Images sent via read tool render locally but never reach mobile clients — silent failure with no error logs.

This skill bypasses OpenClaw's Telegram channel entirely using direct HTTP API calls.

Publishing Notes

This skill is ready for publication:

  • No hardcoded secrets
  • .env.example for configuration
  • .gitignore excludes secrets
  • Clear documentation
  • MIT licensed

Comments

Loading comments...