telegram-contract-ops Security Report — Low Risk | ClawSafe

20 /100

telegram-contract-ops

Telegram-based internal contract generation and eID intake workflow for Vietnamese operations

This is a legitimate Vietnamese contract generation and eID OCR workflow with expected Telegram API integration and subprocess usage, though SKILL.md lacks formal allowed-tools declarations.

Skill Nametelegram-contract-ops

Duration35.0s

Enginepi

✓

Safe to install

Add formal allowed-tools declaration to SKILL.md (filesystem:WRITE, network:READ, shell:WRITE, environment:READ) and document the execFileSync usage for docx generation.

Findings 2 items

Severity	Finding	Location
Low	SKILL.md lacks allowed-tools declaration The skill does not declare any allowed-tools permissions despite code using filesystem write, network read, shell execution, and environment variable access. `No allowed-tools section present` → Add an allowed-tools declaration section to align with the pi skill schema	`SKILL.md:1`
Low	Hardcoded workspace paths in Python script The Python script contains hardcoded paths under /Users/vtammm/.openclaw/workspace which may not exist in all environments. `WORKSPACE = Path('/Users/vtammm/.openclaw/workspace')` → Use environment variables or relative paths for cross-platform compatibility	`scripts/plan-b-docx-generate.py:19`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✓ Aligned	scripts/telegram-planb-bot.js:36-37
Network	`NONE`	`READ`	✓ Aligned	scripts/telegram-planb-bot.js:46-51
Shell	`NONE`	`WRITE`	✓ Aligned	scripts/plan-b-telegram-to-docx.js:119
Environment	`NONE`	`READ`	✓ Aligned	scripts/telegram-planb-bot.js:7

4 findings

🔗

Medium External URL 外部 URL

http://schemas.openxmlformats.org/wordprocessingml/2006/main

scripts/plan-b-docx-generate.py:11

🔗

Medium External URL 外部 URL

https://api.telegram.org/bot$

scripts/telegram-planb-bot.js:8

🔗

Medium External URL 外部 URL

https://api.telegram.org/file/bot$

scripts/telegram-planb-bot.js:60

📧

Info Email 邮箱地址

[email protected]

scripts/plan-b-docx-generate.py:46

File Tree

14 files · 51.3 KB · 1528 lines

JavaScript 3f · 782L Markdown 8f · 446L Python 1f · 208L Swift 1f · 74L Text 1f · 18L

├─ ▾ 📁 assets

│ └─ 📄 plan-b-telegram-template.txt Text 18L · 175 B

├─ ▾ 📁 references

│ ├─ 📝 architecture.md Markdown 33L · 922 B

│ ├─ 📝 clawhub.md Markdown 39L · 693 B

│ ├─ 📝 deployment.md Markdown 207L · 4.2 KB

│ ├─ 📝 input-template.md Markdown 24L · 300 B

│ ├─ 📝 macos.md Markdown 25L · 507 B

│ ├─ 📝 troubleshooting.md Markdown 30L · 1.0 KB

│ └─ 📝 windows.md Markdown 30L · 761 B

├─ ▾ 📁 scripts

│ ├─ 🐍 plan-b-docx-generate.py Python 208L · 10.2 KB

│ ├─ 📜 plan-b-telegram-to-docx.js JavaScript 172L · 6.0 KB

│ ├─ 📜 plan-c-eid-parse.js JavaScript 230L · 8.1 KB

│ ├─ 📄 plan-c-ocr.swift Swift 74L · 1.7 KB

│ └─ 📜 telegram-planb-bot.js JavaScript 380L · 14.5 KB

└─ 📝 SKILL.md Markdown 58L · 2.2 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`python3 (system)`	`n/a`	system	No	Standard library only, no pip dependencies

Security Positives

✓ No base64-encoded payloads or obfuscated code

✓ No credential harvesting or data exfiltration to external IPs

✓ No unauthorized access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No reverse shell or C2 communications

✓ Legitimate Telegram API integration for bot functionality

✓ Subprocess calls (python3, swift, node) are necessary for the stated contract generation workflow

✓ State files and temporary artifacts are stored in workspace-specific directories

✓ No suspicious network patterns (direct IP connections, DNS over HTTPS for tunneling)

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives