Telegram Topic Rename
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
Before installing, ensure you trust the included script, configure a dedicated Telegram bot token securely, and verify the chat/thread target before allowing the skill to rename a topic. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong chat ID, thread ID, name, or icon is used, the bot may rename the wrong Telegram topic.
The script performs a Telegram Bot API call that changes a forum topic's title and optionally its icon. This matches the stated purpose, but it is an external account mutation.
CURL_ARGS=(-s "https://api.telegram.org/bot${BOT_TOKEN}/editForumTopic") ... CURL_ARGS+=(-d "chat_id=${CHAT_ID}") ... CURL_ARGS+=(--data-urlencode "name=${NAME}")Confirm the target chat/thread and intended name/icon before invoking the skill, especially in shared or public groups.
Anyone who obtains the bot token could act as that bot within its Telegram permissions.
The skill needs a Telegram bot token, which is expected for the Bot API but grants the bot's Telegram permissions wherever that bot is installed.
Set `TELEGRAM_BOT_TOKEN` in your environment or OpenClaw config
Use a dedicated bot with only the permissions needed for topic management, store the token securely, and rotate it if exposed.
Install-time checks may not warn users that a Telegram token is required.
The registry metadata under-declares the credential requirement that the skill itself documents. This appears to be a packaging/metadata gap rather than hidden credential use.
Description: ... Requires TELEGRAM_BOT_TOKEN environment variable ... Required env vars: none; Env var declarations: none; Primary credential: none
Treat TELEGRAM_BOT_TOKEN as a required credential despite the metadata, and verify local dependencies such as curl and jq before use.