Trust Assessment
telegram-ops received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 0 critical, 2 high, 3 medium, and 1 low severity. Key findings include Command Injection via Unsanitized Shell Arguments, Credential Exposure via Command-Line Arguments, Potential Prompt Injection via Config Patching.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 47/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command Injection via Unsanitized Shell Arguments The shell scripts `archive_topic.sh` and `create_topic.sh` directly interpolate user-provided arguments (e.g., `TOKEN`, `CHAT_ID`, `TOPIC_ID`, `CURRENT_NAME`/`NAME`, `EMOJI_ID`) into `curl` commands and JSON payloads without proper sanitization or escaping. This allows an attacker to inject arbitrary shell commands by crafting malicious input for these arguments. For example, providing a `CHAT_ID` like `123; evil_command` could lead to `evil_command` execution. Similarly, `NAME` or `CURRENT_NAME` containing shell metacharacters or unescaped quotes could break the JSON structure or lead to command execution. Sanitize all user-provided inputs before using them in shell commands or JSON payloads. For JSON, use a tool like `jq` to construct the JSON object safely, or ensure all special characters (especially quotes and backslashes) are properly escaped. For shell arguments, use `printf %q` or similar methods to quote arguments, or avoid direct interpolation by passing data via stdin or environment variables where appropriate. Example: `jq -n --arg chat_id "$CHAT_ID" --arg name "$ARCHIVED_NAME" '{chat_id: ($chat_id | tonumber), name: $name}'`. | LLM | scripts/archive_topic.sh:30 | |
| HIGH | Command Injection via Unsanitized Shell Arguments The shell scripts `archive_topic.sh` and `create_topic.sh` directly interpolate user-provided arguments (e.g., `TOKEN`, `CHAT_ID`, `TOPIC_ID`, `CURRENT_NAME`/`NAME`, `EMOJI_ID`) into `curl` commands and JSON payloads without proper sanitization or escaping. This allows an attacker to inject arbitrary shell commands by crafting malicious input for these arguments. For example, providing a `CHAT_ID` like `123; evil_command` could lead to `evil_command` execution. Similarly, `NAME` or `CURRENT_NAME` containing shell metacharacters or unescaped quotes could break the JSON structure or lead to command execution. Sanitize all user-provided inputs before using them in shell commands or JSON payloads. For JSON, use a tool like `jq` to construct the JSON object safely, or ensure all special characters (especially quotes and backslashes) are properly escaped. For shell arguments, use `printf %q` or similar methods to quote arguments, or avoid direct interpolation by passing data via stdin or environment variables where appropriate. Example: `jq -n --arg chat_id "$CHAT_ID" --arg name "$NAME" '{chat_id: ($chat_id | tonumber), name: $name}'`. | LLM | scripts/create_topic.sh:20 | |
| MEDIUM | Credential Exposure via Command-Line Arguments The `bot_token` is passed as a command-line argument to the `archive_topic.sh` and `create_topic.sh` scripts. This makes the sensitive token visible in process lists (`ps -ef`) to other users on the system and potentially stored in shell history files, increasing the risk of credential harvesting. Avoid passing sensitive credentials like API tokens as command-line arguments. Instead, use more secure methods such as environment variables, secure configuration files, or a secrets management system. If environment variables are used, ensure they are unset after use. | LLM | scripts/archive_topic.sh:7 | |
| MEDIUM | Credential Exposure via Command-Line Arguments The `bot_token` is passed as a command-line argument to the `archive_topic.sh` and `create_topic.sh` scripts. This makes the sensitive token visible in process lists (`ps -ef`) to other users on the system and potentially stored in shell history files, increasing the risk of credential harvesting. Avoid passing sensitive credentials like API tokens as command-line arguments. Instead, use more secure methods such as environment variables, secure configuration files, or a secrets management system. If environment variables are used, ensure they are unset after use. | LLM | scripts/create_topic.sh:7 | |
| MEDIUM | Potential Prompt Injection via Config Patching The `SKILL.md` documentation describes how to patch the OpenClaw configuration to set a `systemPrompt` for a topic using `gateway action=config.patch raw='{"channels":..."systemPrompt":"Topic-specific instructions"}'`. If an untrusted skill or user can execute arbitrary `gateway config.patch` commands, they could inject malicious instructions into the `systemPrompt` of another agent, potentially leading to prompt injection attacks against the LLM. Implement strict access controls and validation for `gateway config.patch` operations, especially when modifying `systemPrompt` fields. Ensure that only trusted sources can modify these configurations and that any user-provided input for `systemPrompt` is thoroughly sanitized and validated to prevent injection of malicious instructions. | LLM | SKILL.md:42 | |
| LOW | Data Exfiltration Risk Documented for Bot Token The `SKILL.md` documentation explicitly provides a command (`gateway action=config.get | jq -r '.result.parsed.channels.telegram.botToken'`) to retrieve the Telegram bot token from the OpenClaw configuration. While this is documentation, it highlights a potential data exfiltration path if an untrusted skill or user gains the ability to execute arbitrary `gateway config.get` commands, allowing them to extract sensitive credentials. Ensure that the `gateway` tool has robust access controls in place to prevent unauthorized access to sensitive configuration data. Limit the permissions of skills and users to only the necessary configuration keys. Consider masking or redacting sensitive information in logs or outputs where possible. | LLM | SKILL.md:14 |
Scan History
Embed Code
[](https://skillshield.io/report/7341d104bb69d203)
Powered by SkillShield