Is macos-screenshot-telegram safe?

The skill's primary function is capturing the entire macOS screen and transmitting it to Telegram's API. Screenshots can contain passwords, credentials, private messages, financial data, medical records, proprietary code, and any other sensitive information visible on screen. The destination chat_id is user-supplied and not validated against any allowlist, meaning an attacker could redirect screenshots to their own Telegram account.

The SKILL.md claims OpenClaw's message tool has a bug (#15541) that 'returns success but doesn't send media', instructing the agent to bypass the platform's built-in secure communication channel in favor of raw curl HTTP requests. This is a textbook social engineering technique against LLM agents — creating a plausible-sounding justification for the agent to circumvent security controls. Whether or not bug #15541 exists, this pattern trains the agent that bypassing platform tools with raw shell commands is acceptable.

The skill instructs the agent to extract the Telegram bot token from config files using grep and sed. This normalizes the pattern of an agent parsing credential files and extracting secrets, which is a dangerous precedent. The extracted token is then used in a curl command, exposing it in process arguments visible via ps.

Filesystem monitoring detected that during the skill installation process, multiple sensitive files were accessed including .env, .aws/credentials, and auth-profiles.json. While some of these may be attributable to the OpenClaw runtime loading its own configuration, the access to .aws/credentials is particularly concerning as it has no legitimate relationship to a screenshot-telegram skill.

The shell script screenshot-telegram.sh accepts CHAT_ID and PROFILE as positional parameters and uses them unsanitized in file path construction and curl commands. A malicious PROFILE value could traverse directories (e.g., '../../etc') to read arbitrary config files. A crafted CHAT_ID could inject additional curl flags or shell commands.

The skill includes screenshot-telegram.sh which combines screencapture, file operations, credential extraction, and outbound HTTP in a single executable script. This script could be modified or called with different parameters to exfiltrate arbitrary files, not just screenshots.

Once installed and used, this skill establishes Screen Recording permission on macOS which persists across sessions. It also normalizes the agent pattern of 'capture screen + send externally'. Other skills or prompt injections could leverage this established capability and permission for covert surveillance.

Setup instructions are written in Cantonese with English technical terms interspersed. While this may reflect the author's natural language, it effectively obscures the full meaning of setup steps from English-only reviewers and automated security scanners, potentially hiding additional instructions or social engineering.

The bot token is passed as part of the curl URL (https://api.telegram.org/bot${BOT_TOKEN}/sendPhoto), making it visible in process listings (ps aux), shell history, and system logs. This could allow other processes or users on the system to capture the token.

The installation process created files in /tmp/openclaw-1000/ and /tmp/jiti/ including compiled CJS modules. While likely attributable to the OpenClaw runtime's jiti transpilation, these files persist after installation and could be tampered with.