Telegram Compose
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill transparently formats and sends Telegram messages through a configured bot token; this matches its purpose, but users should notice that it can post to Telegram through their bot.
Install this only if you want OpenClaw to send longer or structured Telegram replies through your configured bot. Verify the bot account, chat ID, and thread ID are scoped to the intended conversations, and do not include secrets or private information unless you intend them to be delivered to Telegram.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A configured Telegram bot token can be used to send messages as that bot to chats the bot can access.
The skill uses a local Telegram bot credential, which is sensitive authority, but the credential source and account-selection rule are disclosed and tied to the stated Telegram-sending purpose.
Bot token: Stored in the OpenClaw config file under `channels.telegram.accounts.<name>.botToken`. The account name is always provided by the caller. Never auto-select or iterate accounts.
Only install if you intend OpenClaw to send Telegram messages through this bot, and keep bot accounts and chat IDs scoped to the chats you expect.
If invoked with the wrong chat ID, account, or message content, the bot may send a Telegram message to an unintended destination.
The skill allows shell execution and uses curl to call Telegram directly. This is purpose-aligned for direct API delivery, but it is still an external action that posts content.
allowed-tools: exec, Read ... curl -s -X POST "https://api.telegram.org/bot${BOT_TOKEN}/sendMessage"Review the account name, chat ID, thread ID, and content before relying on automatic sending for important or sensitive messages.
Sensitive information included in longer Telegram replies may be passed to the sub-agent and then sent to Telegram.
The main session passes raw message content and routing details to a sub-agent, which then sends the message. This flow is disclosed and bounded, but users should recognize that substantive content is handed to another agent context for delivery.
Substantive content (>3 lines, or has lists/stats/sections/reports): Spawn this skill as a sub-agent. ... Raw content — the unformatted text/data to turn into a rich message
Avoid including secrets or private data in Telegram-bound content unless you intend that data to be sent to the target chat.
The skill may fail or behave unexpectedly if jq, curl, or the configured Telegram account are missing or different from what the user expects.
The instruction-only skill depends on local jq/curl and Telegram configuration rather than packaged code or an install step. This is disclosed, but users should ensure those local tools and configuration are expected.
"requires": { "binaries": ["jq", "curl"], "config": ["channels.telegram.accounts.<account>.botToken"] }, ... "network": ["api.telegram.org"]Confirm jq and curl are available and that the OpenClaw Telegram account configuration points to the intended bot.