Security Audit

telegram-field-bot

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

telegram-field-bot received a trust score of 77/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 1 medium, and 1 low severity. Key findings include Missing required field: name, Sensitive user data sent to external LLM for summarization, Unpinned Python dependencies.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

83%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

1 finding

Shell Execution

1 finding

Security Findings3

Severity	Finding	Layer	Location
HIGH	Sensitive user data sent to external LLM for summarization The `generate_daily_report` function constructs a prompt for an external LLM that includes a full JSON dump of all daily reports. These reports contain potentially sensitive user data such as `user_id`, `username`, `photo_path`, `caption`, `location`, and `text` from Telegram messages. Sending this raw, unredacted data to a third-party LLM service poses a significant data privacy risk, as the LLM provider's data handling and retention policies may not align with user expectations or regulatory requirements. Before sending data to an external LLM, implement robust data anonymization or filtering. Only send aggregated, non-identifiable, or strictly necessary information. Consider performing initial summarization or sensitive data extraction locally. Ensure explicit user consent is obtained for data processing by third-party LLMs and that the LLM provider has a strong data privacy agreement.	LLM	SKILL.md:210
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/datadrivenconstruction/telegram-field-bot/SKILL.md:1
LOW	Unpinned Python dependencies The `pip install` command in the 'Requirements' section specifies `python-telegram-bot` and `requests` without pinning their versions. This practice can lead to non-reproducible builds, unexpected behavior due to breaking changes in newer versions of dependencies, or potential security vulnerabilities if a future version of a dependency introduces malicious code or critical bugs. Without version pinning, the exact environment cannot be guaranteed. Pin dependency versions to ensure reproducible and secure builds. For example, use `pip install python-telegram-bot==X.Y.Z requests==A.B.C` or specify exact versions in a `requirements.txt` file. Regularly review and update pinned dependencies to incorporate security patches.	LLM	SKILL.md:230

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/597dd65caea630af.svg)](https://skillshield.io/report/597dd65caea630af)