Telegram Tools Suite
AdvisoryAudited by Static analysis on May 8, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the generated session file or credentials could potentially access the Telegram account, so these files and values must be protected.
The skill requires Telegram API credentials, phone login, and creates persistent Telegram session files. This is expected for a Telegram client automation tool, but it gives the skill access to the user's Telegram account.
requiredEnv: TELEGRAM_API_ID ... TELEGRAM_API_HASH(高敏感) ... TELEGRAM_PHONE ... 运行时会在`userdata/`目录生成`*.session`会话文件(包含Telegram登录认证状态)
Use a dedicated/test Telegram account, do not share .env or .session files, and run only from a trusted local copy.
Incorrect targets or messages could join unwanted groups, send unwanted messages, or trigger Telegram anti-spam restrictions.
The skill exposes high-impact Telegram actions such as batch joining groups and scheduled group messaging. The actions are disclosed and gated by an explicit environment variable, but they can still affect the user's account reputation and public/group interactions.
`ENABLE_HIGH_RISK_OPERATIONS=true python3 -m tg_monitor_kit join --once` ... `ENABLE_HIGH_RISK_OPERATIONS=true python3 -m tg_monitor_kit send-schedule`
Only enable high-risk commands for reviewed target lists/messages, keep conservative send/join limits, and avoid using a primary Telegram account.
A task left running may continue monitoring Telegram activity or sending scheduled messages until stopped.
The skill includes long-running tasks. This is disclosed and fits the monitoring/search/scheduling purpose, but users need to manage process lifetime themselves.
`monitor`(群监控)、`search`(群搜索)、`join`(批量加群定时模式)均为长时间运行的长驻任务,启动后会持续在后台运行直至手动终止。
Run long-lived commands in a visible terminal when possible, stop them with Ctrl+C or by ending the Python process, and verify no stale process remains.
Local output files may reveal group memberships, group IDs, monitored message hits, or search results to anyone with access to the machine.
The skill stores a local cache of joined Telegram groups/channels. Other code also exports monitoring/search results to local files, which is expected for the tool but can leave sensitive Telegram metadata and message-derived data on disk.
return os.path.join(cfg.project_root, "userdata", "my_telegram_groups.json") ... json.dump(groups, f, ensure_ascii=False, indent=2)
Keep the project directory private, avoid committing userdata/output files, and delete local caches/exports when no longer needed.
Dependency behavior could change across installs if upstream packages release new versions.
The install path uses normal Python dependencies with lower-bound version ranges rather than pinned versions. This is common and purpose-aligned, but it means future installs may resolve to newer dependency versions.
dependencies = [ "telethon>=1.34.0", "openpyxl>=3.1.0", "python-dotenv>=1.0.0" ]
Install in a virtual environment and consider pinning dependency versions or using a lockfile for repeatable deployments.