Telegram CS Agent
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its Telegram customer-service purpose, but it uses a real Telegram user session to read and auto-reply to all incoming chats and forwards conversation content to Claude without clear chat scoping.
Install only on a dedicated Telegram support account, not a personal account. Add chat allowlists and rate limits, disclose Claude/AI processing to users, protect .env and Telethon session files, and pin/review dependencies before production deployment.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed on a personal or broadly used Telegram account, the bot may read and act under that user's identity in conversations beyond customer support.
The skill intentionally uses a real Telegram user identity rather than a scoped Bot API token, giving the bot broad account-level authority if run on a normal Telegram account.
Telegram: Telethon userbot (not Bot API) — appears as a real user
Use only a dedicated Telegram support account, declare the Telegram session/API credentials in metadata, protect the session files, and prefer a scoped Bot API setup if possible.
The bot could respond from the logged-in account in unrelated private chats or groups, and attackers could trigger unwanted replies or API usage by messaging the account.
Each processed incoming text message is turned into an AI response and sent back automatically; the provided code does not show a chat allowlist, approval check, or support-channel restriction.
result = agent.chat(chat_id, text) await tg.send(chat_id, result["reply"])
Add explicit allowed chat IDs, rate limits, and a review/approval path for new chats before enabling automatic replies.
Customer or private Telegram messages may be transmitted to an external AI provider, especially if the bot is connected to a non-dedicated account.
Telegram message content and conversation history are sent to Anthropic for processing, but the artifacts do not show redaction, consent handling, or boundaries limiting which Telegram chats are processed.
history.append({"role": "user", "content": user_message})
...
response = self.client.messages.create(
model=self.config.model,
max_tokens=1024,
system=system,
messages=history,
)Disclose AI processing to users, restrict processed chats, redact sensitive data where possible, and document retention and provider data-handling expectations.
Bad or malicious knowledge-base documents could cause the bot to give incorrect instructions to users.
Knowledge-base markdown content is inserted into the model context for answers, so inaccurate or instruction-like documentation could steer customer-facing responses.
system += f"\n\n--- Knowledge Base Context ---\n{context_text}\n--- End Context ---"Curate and review all indexed markdown files, avoid embedding operational instructions in customer docs, and separate retrieved facts from system-level instructions.
A later dependency release could change behavior or introduce vulnerabilities even if the current source looks clean.
Dependencies are specified with lower bounds rather than exact pinned versions, so future installs may pull different package versions.
anthropic>=0.42.0 chromadb>=0.5.0 sentence-transformers>=3.0.0 python-dotenv>=1.0.0 telethon>=1.37.0
Pin exact versions, use a lockfile or hashes, and review the dependency/model-download provenance before production use.
Once started, the process may continue monitoring and replying through the Telegram session until it is stopped or disconnected.
The bot is designed as a long-running Telegram listener; this is expected for the stated purpose but means it keeps operating until explicitly stopped.
await self.client.run_until_disconnected()
Run it under clear process supervision, document start/stop procedures, and ensure operators know how to revoke or delete the Telegram session.