Security Audit

telegram-groupchat-setup

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

telegram-groupchat-setup received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 0 critical, 2 high, 3 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Credential Harvesting: Telegram Bot Token Access, Excessive Permissions: Broad Configuration Read.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 56/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

56%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

3 findings

Shell Execution

3 findings

Dynamic Code

2 findings

Excessive Permissions

4 findings

Security Findings5

Severity	Finding	Layer	Location
HIGH	Credential Harvesting: Telegram Bot Token Access The `detect_bot_info.sh` script directly accesses and reads the Telegram bot token from the `moltbot.json` configuration file. While the script uses the token for a legitimate API call and does not explicitly print it, the direct handling of a sensitive credential by an untrusted script poses a significant risk. If the LLM's execution environment is compromised or if the script were subtly modified, this token could be exfiltrated. Avoid direct file system access to credential files from untrusted scripts. Instead, pass necessary credentials securely as environment variables or through a dedicated, sandboxed credential management system. Ensure the LLM environment prevents logging of sensitive data.	LLM	scripts/detect_bot_info.sh:14
HIGH	Command Injection: Execution of External Script with Environment Variable Dependency The skill explicitly instructs the agent to execute the external shell script `skills/groupchat-setup/scripts/detect_bot_info.sh`. This script performs file I/O, network requests, and executes `python3`. While the script's internal handling of variables appears robust against simple injection, the execution of an external script with these capabilities is inherently a command injection risk if the LLM's execution environment is not strictly sandboxed. Furthermore, the script uses `CONFIG_PATH="${CLAWDBOT_CONFIG_PATH:-$HOME/.clawdbot/moltbot.json}"`. If an attacker can control the `CLAWDBOT_CONFIG_PATH` environment variable (e.g., via a prompt injection that manipulates the LLM's execution context), they could force the script to attempt to read an arbitrary file, leading to data exfiltration or unexpected behavior, even if direct Python code injection via the path string is mitigated by quoting. Avoid direct execution of external shell scripts from untrusted skill content. If necessary, use a highly sandboxed execution environment. Ensure that environment variables like `CLAWDBOT_CONFIG_PATH` cannot be controlled by untrusted input or the LLM itself. Implement strict allowlisting for file paths accessed by the agent.	LLM	SKILL.md:40
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/arekqq/tg-groupchat-setup/scripts/detect_bot_info.sh:8
MEDIUM	Excessive Permissions: Broad Configuration Read The skill instructs the agent to use `gateway action: "config.get"` to retrieve the current gateway configuration. This action can return the entire configuration, which may contain sensitive information (e.g., other API keys, database credentials) beyond what is strictly necessary for merging `groupAllowFrom` and `mentionPatterns`. This broad read access increases the risk of data exfiltration if the LLM's output is not carefully controlled. If possible, use a more granular `config.get` action that retrieves only the specific sections required (e.g., `channels.telegram.groupAllowFrom`, `messages.groupChat.mentionPatterns`). Ensure the LLM is strictly instructed not to log or display the full configuration.	LLM	SKILL.md:68
MEDIUM	Excessive Permissions: Configuration Modification with Unsanitized User Input The skill instructs the agent to use `gateway action: "config.patch"` to modify the bot's configuration, incorporating user-provided `group_id` and `allowed_users`. This is a powerful write operation that can alter critical operational parameters. Without explicit sanitization of these user inputs before they are embedded into the JSON patch, there is a risk of JSON injection or unintended configuration changes if malicious input is provided (e.g., a `group_id` that breaks the JSON structure or injects other config values). Implement robust input validation and sanitization for all user-provided inputs (`group_id`, `allowed_users`) before they are used to construct the JSON patch. Ensure that the `gateway` tool itself validates incoming patches to prevent malformed or malicious configurations.	LLM	SKILL.md:56

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/4423843203b17c66.svg)](https://skillshield.io/report/4423843203b17c66)