ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Telegram Post

v1.0.0

Отправляет текстовые и мультимедийные сообщения в указанные Telegram-группы через OpenClaw CLI с использованием заданного CHAT_ID.

0· 109·1 current·1 all-time
by@larthe

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for larthe/telegram-post.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Telegram Post" (larthe/telegram-post) from ClawHub.
Skill page: https://clawhub.ai/larthe/telegram-post
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install telegram-post

ClawHub CLI

Package manager switcher

npx clawhub@latest install telegram-post
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the instructions (sending Telegram messages via OpenClaw CLI). However, the instructions embed a live-looking Telegram bot token in curl examples and reference specific local user paths (/home/larthe/...) and gateway details without declaring any required credentials or configuration. A well-formed Telegram skill would declare a bot token/credential and not hard-code another user's absolute paths.
!
Instruction Scope
SKILL.md instructs running openclaw and curl commands, listing local media files, and hitting a local gateway (127.0.0.1:18789). It therefore instructs the agent to access local filesystem paths and network endpoints and to use a hard-coded bot token — actions that go beyond simple message formatting and can expose or misuse local files and credentials.
Install Mechanism
No install spec is present (instruction-only), so nothing is written to disk or downloaded by the skill itself. That lowers supply-chain risk, though runtime instructions still invoke local binaries and network calls.
!
Credentials
The skill declares no required environment variables or primary credential, yet the SKILL.md contains a Telegram bot token in a curl example and references user-specific media directories. This mismatch (no declared credential but visible secret in instructions) is disproportionate and potentially exposes credentials or suggests the skill was copied from another user's environment.
Persistence & Privilege
always is false (good). Autonomous invocation is allowed (platform default). Combined with embedded credentials and local file references, autonomous runs could access local files and call external APIs — increasing blast radius. This is not inherently forbidden but worth considering before enabling autonomous invocation.
Scan Findings in Context
[unicode-control-chars] unexpected: The scanner detected unicode control characters/prompt-injection patterns in SKILL.md. This is not expected for a straightforward Telegram-posting skill and may indicate deliberate or accidental injection payloads embedded in the text. Treat the SKILL.md content as potentially manipulated and inspect raw file for hidden characters.
What to consider before installing
Do not install blindly. Review the SKILL.md raw text and remove or rotate any hard-coded secrets (the curl example contains a Telegram bot token). Verify that the OpenClaw CLI and the local gateway referenced are ones you control, and confirm the absolute file paths (/home/larthe/...) map to intended media directories. Prefer skills that declare their required credentials (e.g., BOT_TOKEN) and expect them via environment variables or a secrets manager rather than embedding tokens. If you already used the embedded token, assume it may be compromised: revoke/rotate it and audit the bot's admin privileges. Finally, if you will allow autonomous invocation, restrict the agent's permissions or run it in an isolated account/container to limit access to local files and network endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aa2j2r8r720hwpb39jxn5g983vdby
109downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@larthe
latest
Download

Telegram Post Skill

Назначение

Отправка сообщений в Telegram-группы через OpenClaw CLI.

Когда использовать

Используй этот навык, когда Влад просит:

  • "Опубликуй в группу"
  • "Отправь пост в Telegram"
  • "Напиши в группу робототехники"
  • "Сделай отчёт о занятии"

Команда

openclaw message send --channel telegram --target "<CHAT_ID>" --message "<ТЕКСТ>" [--media "<ПУТЬ>"]

Параметры

ПараметрОписаниеПример
--channelВсегда telegram
--targetID группы-1003856211981
--messageТекст сообщения"Отчёт о занятии"
--mediaПуть к фото/видео (опционально)/home/larthe/.openclaw/media/inbound/file.jpg

Группы

  • -1003856211981Робототехника 8-11 лет (основная)
  • -1003829257143 — другая группа
  • -1003879018559 — другая группа

Примеры

1. Текстовое сообщение

openclaw message send --channel telegram --target "-1003856211981" --message "Напоминание: завтра занятие в 11:50"

2. Фото с текстом

openclaw message send --channel telegram --target "-1003856211981" \
  --message "🤖 ОТЧЁТ О ЗАНЯТИИ
📅 Дата: 22 марта 2026
👨‍🏫 Преподаватель: Владислав

📌 ПРОЕКТ: ТАНКИ ИЗ LEGO WeDo 2.0
..." \
  --media "/home/larthe/.openclaw/media/inbound/file_14---a50e3b78-c5cc-4b70-9bc0-a7c362c13cb2.jpg"

3. Видео

openclaw message send --channel telegram --target "-1003856211981" \
  --message "📹 Видео с занятия" \
  --media "/home/larthe/.openclaw/media/inbound/IMG_5285.mp4"

4. Альбом (через API, до 10 фото)

curl -X POST "https://api.telegram.org/bot8415787322:AAGK4aQCCGei35g9t2ybKhexlR4BdCZs-3M/sendMediaGroup" \
  -F "chat_id=-1003856211981" \
  -F 'media=[{"type":"photo","media":"attach://f1","caption":"Текст"},{"type":"photo","media":"attach://f2"}]' \
  -F "f1=@/home/larthe/.openclaw/media/inbound/file1.jpg" \
  -F "f2=@/home/larthe/.openclaw/media/inbound/file2.jpg"

Медиа-файлы

Папка: /home/larthe/.openclaw/media/inbound/

Список файлов:

ls -la /home/larthe/.openclaw/media/inbound/*.jpg

Важно

✅ Бот имеет Privacy Mode: Disabled — видит все сообщения в группах ✅ groupPolicy: "open" — может отправлять без упоминания ✅ Бот — админ в группе -1003856211981 ✅ Gateway запущен на порту 18789

Проверка статуса

# Проверить gateway
curl -s http://127.0.0.1:18789/health

# Проверить бота
curl -s "https://api.telegram.org/bot8415787322:AAGK4aQCCGei35g9t2ybKhexlR4BdCZs-3M/getMe"

Comments

Loading comments...