Back to plugin
Pluginv0.2.0
ClawScan security
Telegram Multibot Relay · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 5, 2026, 4:34 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The plugin's code broadly matches its stated purpose (relaying between Telegram bot accounts and scheduling reminders) but it quietly reads workspace files and uses OpenClaw-stored API keys (Telegram bot tokens and an OpenAI-like provider) and external network calls that the SKILL.md does not explicitly call out — you should review those data-access paths before installing.
- Guidance
- Before installing: (1) Recognize the plugin will read workspace files (IDENTITY.md, AGENTS.md, etc.) from the OpenClaw workspace — review those files for sensitive data you don't want sent externally. (2) The plugin will use Telegram bot tokens stored in your OpenClaw config to call Telegram APIs and will attempt to use an OpenAI-like provider (baseUrl + apiKey) from config.models.providers to make chat/completions calls — ensure only minimal-permission keys are present and that you are comfortable with the gateway granting the plugin access to them. (3) Audit index.js (present in the package) for any logging or data-sending behavior you consider risky; run the plugin in a test environment first. (4) If you need stronger guarantees, request the author to document required gateway config keys and explicitly disclose workspace-file reads and external provider use in the README/SKILL.md.
Review Dimensions
- Purpose & Capability
- noteThe plugin routes Telegram turns, schedules reminders, and calls Telegram APIs using bot tokens stored in the OpenClaw gateway config; that is coherent with its description. It also uses an OpenAI-compatible provider (baseUrl + apiKey) from the gateway config to make chat/completions calls — plausible for crafting relay messages but not documented in the SKILL.md.
- Instruction Scope
- concernThe SKILL.md describes behavior at a high level but does not explicitly state that the runtime will read workspace files (IDENTITY.md, SOUL.md, AGENTS.md, TEAM.md, USER.md, TOOLS.md, MEMORY.md, RELAY.md) or call external LLM endpoints. The code's loadWorkspacePrompt reads those files from the workspace directory, which may contain sensitive agent or user context; the agent will also make network requests (fetch) to provider.baseUrl and Telegram API endpoints.
- Install Mechanism
- okNo install spec; package is shipped as source files (index.js). Nothing is downloaded from arbitrary URLs during install, so installation risk is low.
- Credentials
- noteThe package requires no environment variables but expects the OpenClaw gateway config to contain Telegram bot tokens (config.channels.telegram.accounts.*.botToken) and optionally OpenAI-compatible provider entries (config.models.providers.* with baseUrl and apiKey). This is functionally reasonable but the SKILL.md does not enumerate these config requirements or warn that API keys and agent workspace files will be used.
- Persistence & Privilege
- okPlugin is not always-enabled and follows normal OpenClaw plugin behavior; it does not request system-wide persistence beyond being enabled in the gateway config.