Is hengbo12345/telegram-todolist safe?

https://github.com/openclaw/skills/tree/main/skills/hengbo12345/telegram-todolist

88
SAFE

The telegram-todolist skill is a straightforward TODO.md file manager with no prompt injection, no network exfiltration code, and no malicious installation behavior. Canary file accesses observed in monitoring logs are attributable to the oathe audit framework's own baseline and integrity-check phases rather than the skill, and all canary files were confirmed intact. The only noteworthy concerns are cosmetic: a hardcoded /root/ path assumption and a Python script that, while entirely benign, increases the executable code surface area slightly.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (4)

LOW Hardcoded absolute path to /root/.openclaw/workspace/TODO.md -10

Both SKILL.md and todolist.py hardcode the TODO file path to /root/.openclaw/workspace/TODO.md. This assumes root user execution and reveals knowledge of the openclaw workspace layout. While not exfiltration, it constrains portability and could aid a malicious actor in understanding agent filesystem layout if the skill is combined with other skills.

LOW Executable Python script included in skill package -15

The skill ships a Python script (scripts/todolist.py) as an optional implementation resource. The script contains only benign file I/O and regex parsing, with no shell execution, network calls, or dangerous imports. However, the presence of executable code increases the attack surface compared to a documentation-only skill.

INFO Canary files accessed during monitoring — attributed to audit framework 0

Inotify and auditd PATH records show accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at epochs 1771933653 (pre-clone) and 1771933672 (post-install). Temporal correlation with oathe audit infrastructure events (ss -tunap baseline, canary integrity checks) and CLOSE_NOWRITE-only access mode indicate these are audit system reads, not skill-initiated exfiltration. Canary integrity confirmed all-intact.

INFO Skill description uses Telegram framing but has no bot infrastructure -10

The skill markets itself as a 'Telegram bot Todo List manager' but the actual implementation is a plain markdown file manager. No Telegram API tokens, bot IDs, or webhook URLs are present. This mismatch between description and implementation is not malicious but could mislead users about the skill's actual capabilities.