Teamgram Client E2E Flow
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill as reference could recommend or make server code changes that bypass licensing or access-control behavior, potentially violating policy or changing production behavior unexpectedly.
The skill is described as architecture and data-flow documentation, but this section tells the user or agent how to remove or bypass an enterprise feature gate without authorization caveats or safety limits.
解锁方法:修改 biz_service 中对应 helper 的企业版检查逻辑,移除或绕过 `checkEnterprise()` 调用。
Remove the bypass guidance, or clearly restrict it to authorized development/testing contexts and require explicit user approval before any code modification.
If a deployment treats API hashes as sensitive, copying or reusing these values in production documentation or configuration could expose an application credential.
The document includes credential-like application identifiers used in the login API flow. The skill claims they are public and there is no runtime credential handling, so this is a notice rather than a direct misuse concern.
`BuildVars.APP_ID = 4`; `BuildVars.APP_HASH = "014b35b6184100b085b0d0572f9b5103"` ... `auth.sendCode(phone_number, api_id, api_hash, settings)`
Confirm whether APP_HASH is intended to be public for the target deployment, and avoid publishing production-specific secrets.