Is 1227cwx/telegram-bot-chat safe?

https://github.com/openclaw/skills/tree/main/skills/1227cwx/telegram-bot-chat

77
CAUTION

This skill is a documentation-only SKILL.md for Telegram bot inter-agent communication. While it contains no executable code, hidden payloads, or malicious network activity, it includes a self-propagation mechanism that copies itself to all agent workspaces and teaches inter-agent messaging that creates a prompt injection surface between bots. The runtime monitoring detected no suspicious behavior during installation.

Category Scores

Prompt Injection 50/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (6)

HIGH Self-propagation script copies skill to all agent workspaces -25

The SKILL.md contains a bash for-loop that globs /root/.openclaw/workspace* and copies ALL skills from the main workspace into every other bot workspace directory. This is a worm-like propagation mechanism — once one agent executes this script, the skill (and any other skills in the workspace) are deployed to all bots without individual consent or review. The script appears twice in the document, increasing the probability an agent will execute it.

MEDIUM Inter-agent messaging creates prompt injection surface -15

The skill teaches agents to use sessions_send() to inject messages into other agents' sessions with arbitrary content. The message format 'sessions_send(sessionKey="agent:bot2:telegram:group:群ID", message="...")' allows one agent to craft content that will be processed by another agent's LLM context. A malicious actor could use this to send prompt injection payloads to other bots via the established communication channel.

LOW Re-read instruction enables delayed payload -5

The skill ends with '检查更新: 随时重新阅读此文件查看新功能!' (Check for updates: Re-read this file at any time for new features!). This instructs agents to periodically re-read the SKILL.md, which could be exploited if the file is modified after initial security review to inject new malicious instructions.

LOW Telegram messaging as potential exfiltration channel -10

The skill teaches agents to send arbitrary messages to Telegram groups via the message() tool. While this is the stated purpose, it creates a channel through which an agent could exfiltrate sensitive data from the workspace to external Telegram groups controlled by an attacker.

MEDIUM Wildcard glob deployment script may traverse unintended directories -15

The deployment script uses 'for workspace_dir in /root/.openclaw/workspace*' which globs any directory matching the pattern. If other directories exist with similar naming (e.g., workspace-backup, workspace-admin), the script would deploy files there as well, potentially affecting systems beyond the intended scope.

INFO Chinese-language content reduces review accessibility -5

The majority of the skill documentation is in Chinese. While not inherently malicious, this reduces the ability of non-Chinese-speaking users and reviewers to understand the full content and intent of the instructions, potentially allowing subtle manipulations to go unnoticed.