ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Telegram Ops

v1.0.0

Telegram Bot API operations for forum management. Use for creating/editing/archiving forum topics, setting topic icons, managing Telegram groups via Bot API. Use when archiving channels/topics. Requires bot token from OpenClaw config.

0· 1.7k·5 current·5 all-time
by@brennerspear
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, and included scripts (create_topic.sh, archive_topic.sh) align with Telegram forum management. However the manifest declares no required credentials or binaries even though the runtime docs instruct the agent to read a bot token from the OpenClaw config and the scripts rely on curl and jq. That mismatch (undeclared dependencies/credentials) is unexpected.
!
Instruction Scope
SKILL.md tells the agent to call gateway action=config.get and config.patch, to export and delete OpenClaw session histories under ~/.openclaw, and to leave the topic 'skills' key unset (which makes all skills available). These instructions operate on internal configuration and session data and encourage a configuration choice that increases agent privileges; that scope goes beyond a simple remote-API wrapper and should be explicitly authorized. The SKILL.md also contains detected prompt-injection patterns (system-prompt-override, unicode-control-chars), which is an active red flag in an instruction document the agent will follow.
Install Mechanism
This is instruction-only (no installer), so nothing is downloaded or executed at install time — lower risk. But the included scripts assume availability of curl and jq (and write/read to ~/.openclaw), while the registry metadata lists no required binaries. That omission is an inconsistency the author should fix.
!
Credentials
The manifest lists no required environment variables or primary credential, yet the docs instruct retrieving a bot token from OpenClaw's config with gateway action=config.get. Accessing internal config to fetch a token is reasonable for a Telegram management skill, but the lack of declared required credentials and no clear minimal-scope guidance about which config paths will be read is disproportionate and opaque. The docs also instruct editing OpenClaw config and deleting sessions—actions that require privileged access to internal data.
Persistence & Privilege
The skill does not request always:true and does not define an install that persists code to nonstandard locations. However, its runtime instructions patch OpenClaw config and remove sessions, which are privileged operations; this is allowed by the platform but should be done only with explicit authorization. Autonomous invocation is enabled by default (not flagged by itself) — combined with the other concerns this increases the blast radius if misused.
Scan Findings in Context
[system-prompt-override] unexpected: The SKILL.md contains patterns that could attempt to override system prompts. For an operations skill that provides bash scripts and API calls, these patterns are not expected and are a red flag because they could manipulate the agent's instruction context.
[unicode-control-chars] unexpected: Detected unicode control characters in the SKILL.md. These are not necessary for Telegram API usage and can be used to obfuscate or manipulate how the agent interprets instructions.
What to consider before installing
This skill appears to implement legitimate Telegram forum actions (create/archive topics) but has several worrying inconsistencies and flagged content. Before installing or running it: 1) Do not run scripts or gateway commands with real tokens until you verify them—inspect the scripts (they are small and readable) and test in a sandboxed account. 2) Confirm how the bot token will be provided: the skill's docs expect fetching it from OpenClaw config, but the manifest declares no required credential—ask the author to declare required env/config and to document minimal access needed. 3) Ensure curl and jq are available (scripts require them) or modify scripts to not depend on jq. 4) Be cautious about the SKILL.md guidance to leave topic 'skills' unrestricted—prefer restricting skills per-topic to least privilege. 5) The SKILL.md contained prompt-injection indicators (system-prompt-override, unicode control chars); treat that as suspicious: ask the author to remove any hidden/unusual characters and explain why those sections are present. 6) If you proceed, run the scripts only with a dedicated bot and a test group, and avoid granting the agent broader OpenClaw config/session deletion permissions until you can audit and trust the skill. If the author cannot satisfactorily explain the missing declarations and the prompt-injection artifacts, do not install this skill in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk97azy8bz31bbavsgjtp1115z580fg4p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments