Pluginv1.0.0

ClawScan security

Telegram Tools · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 29, 2026, 9:41 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code matches the described Telegram management purpose but requests and accesses environment variables and local credential files that are not declared, and it embeds a large assistant-style prompt which could alter agent behavior — these inconsistencies warrant caution.
Guidance: This plugin mostly does what its name says (manage Telegram webhook, pairing, groups, mentions), but there are important inconsistencies you should address before installing: 1) The code expects TELEGRAM_BOT_TOKEN, WORKER_URL, and TELEGRAM_WEBHOOK_SECRET environment variables and reads/writes your OpenClaw credentials directory (~/.openclaw), but the skill metadata does not declare any required credentials — treat that as a red flag. 2) The plugin embeds a large assistant-style prompt (BOT_TO_BOT_MENTION_PROMPT) that could influence agent responses; ask the author why this is embedded and how it's used. 3) The plugin runs the 'openclaw config' CLI and writes local JSON pairing files — ensure you trust the source and that the agent runs in a least-privilege/sandboxed environment. Recommended actions: request the author to declare required env vars and document storage paths; review the full index.ts (you have it) or run the plugin in an isolated test agent with no sensitive credentials; only provide the Telegram token and webhook secret to agents you trust and monitor what config keys the plugin writes (channels.telegram.*). If you need higher assurance, ask for removal or explanation of the embedded prompt text and for explicit metadata declaring the needed environment variables.
Findings: [system-prompt-override] unexpected: The code includes BOT_TO_BOT_MENTION_PROMPT: a multi-line string instructing the assistant to append a <conversation-state> block and follow strict rules. Embedding such assistant/system-style instructions inside a plugin is unexpected for a Telegram management tool and may alter the agent's reply behavior; this matches the scanner's system-prompt-override pattern.

Review Dimensions

Purpose & Capability: concernThe skill is a Telegram management plugin and its code implements webhook, pairing, group, and mention operations (coherent). However, it relies on environment variables (TELEGRAM_BOT_TOKEN, WORKER_URL, TELEGRAM_WEBHOOK_SECRET) and reads/writes an OpenClaw credentials directory, yet the registry metadata declared no required environment variables or credentials. That mismatch (undeclared but required secrets/paths) is a coherence problem.
Instruction Scope: concernThe runtime code tells the agent to call the Telegram API and to run openclaw CLI commands (openclaw config set/unset). It also reads/writes files under the OpenClaw credentials directory and uses process.env values. Additionally the code contains a large BOT_TO_BOT_MENTION_PROMPT string with system-style instructions for appending a <conversation-state> block to replies — effectively a prompt that could influence agent behavior. The instructions access local config and secrets and include content that looks like a system-prompt override, which expands scope beyond simple Telegram config management.
Install Mechanism: okThere is no install spec; this is instruction/code-only and nothing gets fetched from external arbitrary URLs. No additional packages or downloads are executed at install time.
Credentials: concernThe code reads TELEGRAM_BOT_TOKEN, WORKER_URL, TELEGRAM_WEBHOOK_SECRET and uses OPENCLAW_HOME or ~/.openclaw for credential storage, but the skill metadata lists no required env vars or primary credential. Requesting access to local credential directories and multiple environment secrets is proportionate for a Telegram webhook manager but it should be declared up front; omission is a red flag. The BOT_TO_BOT_MENTION_PROMPT embedded in code is another unexpected secret-like artifact (it attempts to influence agent output).
Persistence & Privilege: okalways is false and disable-model-invocation is false (normal). The plugin reads/writes its own config keys via openclaw config and creates pairing files under its own OpenClaw config area; it does not request permanent 'always' inclusion or attempt to modify other skills' configs in the visible code.