Is arekqq/tg-groupchat-setup safe?

https://github.com/openclaw/skills/tree/main/skills/arekqq/tg-groupchat-setup

88
SAFE

The arekqq/tg-groupchat-setup skill is a legitimate Telegram bot configuration tool with no prompt injection, no evidence of malicious data exfiltration, and clean install-time behavior. The primary concern is a code-quality defect in detect_bot_info.sh where raw Telegram API response content is unsafely interpolated into Python source code, creating a theoretical code injection risk if the API endpoint is compromised or subjected to a MITM attack. Canary files were accessed only by the audit monitoring infrastructure and were confirmed intact; no attacker-controlled endpoints were contacted.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

HIGH Unsafe API response interpolation enables Python code injection -20

detect_bot_info.sh captures the raw HTTP response from api.telegram.org into $RESPONSE and then inlines it verbatim into a Python triple-quoted string using command substitution: data = json.loads('''$RESPONSE'''). Any response body containing the sequence ''' would break out of the string literal and allow arbitrary Python to execute in the same interpreter context. Because the agent may run this script with user-level credentials during normal operation, the blast radius includes filesystem access, credential theft, and network exfiltration. The attack requires either a MITM on the TLS connection to api.telegram.org or compromise of that endpoint.

LOW CONFIG_PATH unsanitized in Python inline code -10

The shell variable $CONFIG_PATH (defaulting to $HOME/.clawdbot/moltbot.json but overridable via environment) is spliced directly into a Python inline string: with open('$CONFIG_PATH') as f:. A path containing a single quote would produce a Python syntax error or, with crafted content, a minor injection. Because the variable is user-controlled via the environment, this is a low-severity code-quality issue rather than an immediate threat.

LOW Bot token extracted and transmitted to external API -8

The script reads channels.telegram.botToken from the gateway config file and sends it as a URL path component to https://api.telegram.org. While this is required by the skill's stated function (auto-detecting bot name and username), it means the bot token traverses an external network path. If the agent's network is monitored or the token is logged by intermediate infrastructure, this constitutes inadvertent credential exposure. The destination (Telegram's official API) is trusted, but users should be aware the token leaves the local environment.

LOW Gateway config file read for token extraction -5

detect_bot_info.sh opens ~/.clawdbot/moltbot.json, which may contain the full MoltBot gateway configuration including all channel credentials. The script only uses the Telegram bot token, but access to this file by a skill establishes a read pattern that could be expanded in a future version.

INFO External URL reference in implementation instructions -5

SKILL.md includes a fallback instruction referencing https://api.telegram.org/bot/getMe. This is a legitimate Telegram Bot API endpoint documented in the skill's workflow, not an attempt to redirect the agent to an attacker-controlled endpoint. No obfuscated or encoded URLs detected.

INFO GitHub HTTPS connection during install -8

Installation makes a single outbound HTTPS connection to 140.82.121.3:443 (github.com) to clone the monorepo and perform a sparse checkout. No other external connections were initiated. The connection diff shows no new listening ports or persistent connections after installation.