Is c-drew/telegram-usage safe?
https://github.com/openclaw/skills/tree/main/skills/c-drew/telegram-usage
This skill is a personal development tool for the clawdbot platform that was published without adaptation for general distribution. The primary concern is that SKILL.md hardcodes the author's local server filesystem path (/home/drew-server/...), making the skill non-functional on any other machine and raising prompt injection concerns about absolute-path command instructions. A bundled session-reader.js provides capability to read full conversation transcript files from ~/.clawdbot session stores — data that may include credentials or sensitive information — though this module is not called by the main handler and no active exfiltration was observed during the install audit.
Category Scores
Findings (8)
HIGH Hardcoded Author Server Path in SKILL.md -25 ▶
SKILL.md instructs the agent to execute a Node.js script at the absolute path /home/drew-server/clawd/skills/telegram-usage/handler.js. This is the skill author's local server filesystem path and will not exist on any other user's machine. The agent will be instructed to run a command that fails silently or errors, making the skill entirely non-functional outside the author's environment. This also represents an absolute-path command injection pattern in the skill manifest.
MEDIUM Session Transcript Reader Bundled in Skill -25 ▶
session-reader.js implements readTokensFromTranscript() which opens and parses ~/.clawdbot/agents/
MEDIUM Skill Reports Fabricated Statistics as Real Data -20 ▶
handler.js hardcodes token usage values (input: 2847, output: 1523) and context window values (used: 1856, total: 4096) while SKILL.md and README.md both describe the skill as showing 'real' session statistics. Only quota percentage and reset timer reflect actual live data. An agent presenting this output to a user would be presenting false information as factual session data.
LOW Shell Command Execution via execSync -22 ▶
handler.js calls execSync('clawdbot models status', { encoding: 'utf-8' }) to retrieve quota data. The command string is hardcoded and not user-influenced, limiting injection risk. However, execSync spawns a shell process and the clawdbot binary resolution depends on the PATH environment, which could be manipulated in adversarial environments.
LOW Undocumented Latent Session Access Capability -20 ▶
session-reader.js is present in the skill bundle and is runnable as a standalone CLI tool, but is neither documented in SKILL.md nor imported by handler.js. Its presence creates an undocumented capability that could be discovered and invoked by the agent or through skill chaining. The file exports collectUsageStats() and formatStats() which together read session stores and transcript files.
LOW Persistent File Write to User Home Directory -10 ▶
handler.js unconditionally creates ~/.clawdbot/quota-tracker.json on first invocation, writing a JSON file with startTime and resetHours fields. This establishes a persistent artifact in the user's home directory outside the skill's working directory. Low severity as the data written is non-sensitive, but represents an unexpected filesystem side-effect.
INFO Clean Clone — GitHub Only 0 ▶
Installation cloned only from github.com (140.82.121.4:443). Pre-existing Canonical/Ubuntu update connections were present before clone and are unrelated to the skill. No new persistent connections established after install. DNS activity limited to github.com resolution.
INFO Canary File Reads Attributed to Audit Infrastructure 0 ▶
Canary credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened at timestamps 1771904150 (5.5 seconds before the git clone) and 1771904173 (post-install). Both batches match the audit platform's own canary-state-capture pattern. No skill code was executing at those timestamps. All canary files confirmed intact.