ClawHub

Telegram Compose

Security checks across malware telemetry and agentic risk

Overview

This skill transparently formats and sends Telegram messages using a configured bot token, which matches its stated purpose but should be installed only if that behavior is intended.

Install only if you want OpenClaw to send longer or structured Telegram replies through your configured Telegram bot. Keep bot accounts and chat IDs scoped to intended chats, and avoid sending secrets or private data unless you intend that content to appear in Telegram.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The auto-invocation rule is broad enough to trigger on many normal Telegram responses, causing this skill to run in more situations than a user may expect. Because the skill reads a bot token from local config and performs outbound network sends, over-broad triggering increases the chance of unintended data transmission and credential use without an explicit, per-message confirmation boundary.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The spawn decision uses subjective criteria like '>3 lines' or 'structured data,' which are ambiguous and easy to satisfy accidentally. In this context, ambiguity is risky because it can cause a sub-agent with exec access to read secrets and send externally when a simpler local-only response path should have been used.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to read a Telegram bot token from local configuration and use it to send content outbound, but it does not require a prominent user-facing warning or consent checkpoint. That creates a clear credential-access and exfiltration pathway: local secret material is accessed and then used to transmit data to an external service under broad invocation conditions.

External Transmission

Medium
Category
Data Exfiltration
Content
BOT_TOKEN=$(jq -r ".channels.telegram.accounts.$ACCOUNT.botToken" "$CONFIG")

# Without topic thread
curl -s -X POST "https://api.telegram.org/bot${BOT_TOKEN}/sendMessage" \
  -H "Content-Type: application/json" \
  -d "$(jq -n \
    --arg chat "$CHAT_ID" \
Confidence
90% confidence
Finding
curl -s -X POST "https://api.telegram.org/bot${BOT_TOKEN}/sendMessage" \ -H "Content-Type: application/json" \ -d "$(jq -n \ --arg chat "$CHAT_ID" \ --arg text "$MESSAGE" \ '{ ch

External Transmission

Medium
Category
Data Exfiltration
Content
BOT_TOKEN=$(jq -r ".channels.telegram.accounts.$ACCOUNT.botToken" "$CONFIG")

# Without topic thread
curl -s -X POST "https://api.telegram.org/bot${BOT_TOKEN}/sendMessage" \
  -H "Content-Type: application/json" \
  -d "$(jq -n \
    --arg chat "$CHAT_ID" \
Confidence
90% confidence
Finding
https://api.telegram.org/

External Transmission

Medium
Category
Data Exfiltration
Content
}')"

# With topic thread
curl -s -X POST "https://api.telegram.org/bot${BOT_TOKEN}/sendMessage" \
  -H "Content-Type: application/json" \
  -d "$(jq -n \
    --arg chat "$CHAT_ID" \
Confidence
90% confidence
Finding
https://api.telegram.org/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal