Is crazypeace/telegram-pairing-message-customization safe?

https://github.com/openclaw/skills/tree/main/skills/crazypeace/telegram-pairing-message-customization

84
SAFE

This skill provides legitimate functionality for customizing Telegram bot pairing messages by modifying JavaScript code and restarting the service. While it executes system commands and modifies files, these operations are appropriate for the stated purpose and no malicious behavior was detected.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 98/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 73/100 · 5%

Findings (4)

MEDIUM Service restart command execution -15

The skill executes 'openclaw gateway restart' command which could disrupt service availability during the restart process.

MEDIUM System file modification -7

The skill modifies JavaScript source files in the OpenClaw installation, which could break bot functionality if modifications are incorrect.

LOW Potential for message content misuse -20

The skill allows insertion of arbitrary custom messages into Telegram bot responses, which could be misused for phishing or social engineering if malicious content is provided.

LOW Codebase search operations -15

The skill searches through the codebase to locate specific JavaScript patterns, which could potentially access unintended files containing similar patterns.