Teamgram Client E2E Flow
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: teamgram-client-e2e-flow Version: 1.0.0 The skill bundle consists entirely of technical documentation regarding the architecture and data flows of the Teamgram/KHF Android client and server. It contains no executable code, scripts, or instructions that would cause an AI agent to perform unauthorized actions, exfiltrate data, or compromise the host system (SKILL.md, _meta.json).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill as reference could recommend or make server code changes that bypass licensing or access-control behavior, potentially violating policy or changing production behavior unexpectedly.
The skill is described as architecture and data-flow documentation, but this section tells the user or agent how to remove or bypass an enterprise feature gate without authorization caveats or safety limits.
解锁方法:修改 biz_service 中对应 helper 的企业版检查逻辑,移除或绕过 `checkEnterprise()` 调用。
Remove the bypass guidance, or clearly restrict it to authorized development/testing contexts and require explicit user approval before any code modification.
If a deployment treats API hashes as sensitive, copying or reusing these values in production documentation or configuration could expose an application credential.
The document includes credential-like application identifiers used in the login API flow. The skill claims they are public and there is no runtime credential handling, so this is a notice rather than a direct misuse concern.
`BuildVars.APP_ID = 4`; `BuildVars.APP_HASH = "014b35b6184100b085b0d0572f9b5103"` ... `auth.sendCode(phone_number, api_id, api_hash, settings)`
Confirm whether APP_HASH is intended to be public for the target deployment, and avoid publishing production-specific secrets.