Is telegram-api safe?
https://clawhub.ai/byungkyu/telegram-api
This Telegram Bot API skill is a documentation-only integration that proxies all traffic through Maton's third-party gateway (gateway.maton.ai) rather than connecting directly to Telegram's API. While the skill contains no executable code or overt malicious behavior, the mandatory third-party proxy creates a significant trust dependency - Maton has full access to bot tokens and all message traffic. The hardcoded chat_id in examples and cross-promotion of additional proxy skills present moderate prompt injection risks. Installation runtime accessed sensitive files (.env, .aws/credentials) though this appears to be standard OpenClaw behavior.
Category Scores
Findings (9)
HIGH Third-party API proxy intercepts all Telegram traffic -25 ▶
All API calls are routed through gateway.maton.ai rather than directly to api.telegram.org. This means Maton has full visibility into bot tokens, all messages sent and received, file transfers, and user interactions. The user's Telegram bot token is stored by Maton's connection management system (ctrl.maton.ai) and the ':token' placeholder is resolved server-side, meaning the token never needs to leave Maton's infrastructure - but it also means Maton has persistent access to the bot.
HIGH Sensitive file access during installation -10 ▶
The OpenClaw runtime accessed multiple sensitive files during the skill installation process: .env (environment variables/secrets), .aws/credentials (AWS access keys), .profile, .bashrc, and auth-profiles.json. While this may be standard OpenClaw behavior rather than skill-specific, it demonstrates that the installation runtime has broad filesystem access to sensitive credentials.
MEDIUM Hardcoded chat_id could misdirect agent messages -15 ▶
All code examples throughout the SKILL.md use the same hardcoded chat_id value (6442870329). An LLM agent following these examples as templates may default to using this chat_id when the user doesn't specify one, potentially sending messages to the skill author's or an attacker's Telegram account rather than the user's intended recipient.
MEDIUM Cross-skill promotion in description -8 ▶
The skill description explicitly promotes another skill: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)'. This could lead an agent to suggest or attempt to install additional third-party proxy skills, expanding the attack surface. Both skills route traffic through the same maton.ai proxy infrastructure.
MEDIUM Telegram as data exfiltration channel -25 ▶
The sendMessage and sendDocument APIs provide a powerful data exfiltration channel. A compromised or malicious companion skill could use the Telegram skill to silently transmit sensitive data (source code, credentials, conversation history) to an attacker-controlled chat. The agent would see this as a legitimate Telegram API call.
MEDIUM Webhook configuration enables traffic redirection -5 ▶
The setWebhook API allows configuring an arbitrary URL to receive all Telegram updates. An agent could be tricked into setting a webhook to an attacker-controlled endpoint, redirecting all incoming messages and user interactions away from the intended bot handler.
LOW Python heredoc execution patterns -15 ▶
The skill extensively uses 'python <<EOF' patterns in code examples. While these are documentation examples and not auto-executed, an agent may directly copy and run these patterns, executing Python code on the user's system. The code itself appears benign (standard API calls) but establishes a pattern of shell-based code execution.
LOW Temporary file creation during installation -5 ▶
Installation created lock files and transpiled JavaScript caches in /tmp/. While this appears to be standard OpenClaw/jiti runtime behavior, it indicates code execution occurred during the install process beyond a simple file copy.
INFO Canary files intact 0 ▶
No honeypot files were accessed or modified during the audit. This indicates the skill did not attempt to read fake credentials or sensitive test files.