Back to skill
Skillv1.0.1
ClawScan security
MTProto 2.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 2:29 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only implementation guide for MTProto 2.0 whose requested footprint matches its purpose, but it contains example code that must not be copied to production without fixing the documented cryptographic mistakes and getting an expert audit.
- Guidance
- This is a documentation/implementation guide (no installation or network behavior). It is internally coherent and appropriate for implementing MTProto, but several example code snippets are insecure if copied verbatim: they use math/rand for cryptographic nonces/padding, sometimes ignore errors (e.g., aes.NewCipher returned error ignored), and show padding/IV handling that must be carefully reviewed. The bundle itself includes a 'Security Notice' that identifies and corrects many of these issues — follow those corrections. Before using any example code in production you should: (1) replace all math/rand usages with crypto/rand, (2) ensure constant-time comparisons for MACs, (3) handle errors properly and avoid panics, (4) validate DH primes and parameter sizes, (5) test against official Telegram reference vectors, and (6) obtain a cryptographer/security audit. If you need the skill to perform runtime actions (build/run code, handle real keys, or contact networks), do not use these examples directly; instead implement corrected, reviewed code and treat all sample keys/IDs as documentation-only.
Review Dimensions
- Purpose & Capability
- okName/description match the provided content: all files are MTProto protocol references, handshake, encryption, TL language, and implementation examples. There are no unrelated env vars, binaries, or installs requested.
- Instruction Scope
- noteSKILL.md and referenced files are purely implementation guidance and do not instruct the agent to read system files, exfiltrate data, or call external endpoints. However, multiple code examples demonstrate insecure practices (use of math/rand, improper IV handling, panic-based error handling, ignoring returned errors) — the package includes a clear security-notice that calls these out and provides corrections.
- Install Mechanism
- okInstruction-only skill with no install spec and no code to be downloaded or executed at install time, so there is no install-time code execution risk.
- Credentials
- okNo environment variables, credentials, or config paths are requested. There are no surprising permissions or cross-service credentials required.
- Persistence & Privilege
- okSkill is not always-enabled and uses default invocation behavior. It does not request to persist configuration or modify other skills or system-wide settings.