telegram-md-uploader 安全扫描报告 — 可信 | ClawSafe

5 /100

telegram-md-uploader

Uploads .md files to Telegram chat using Bot API

Legitimate Telegram markdown file uploader with no security issues - all declared capabilities match implementation.

技能名称telegram-md-uploader

分析耗时42.7s

引擎pi

✓

可以安装

Skill is safe to use. Consider pinning requests library version for supply chain hygiene.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned dependency 供应链 The 'requests' library is used but not pinned to a specific version. This could lead to unexpected behavior if a new major version is installed. `import requests` → Add a requirements.txt with 'requests>=2.28.0,<3.0.0' or similar pinning	`upload.py:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	upload.py:29-31 - os.path.exists() and open(file_path, 'rb')
网络访问	`READ`	`READ`	✓ 一致	upload.py:22 - requests.post() to api.telegram.org
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution found
环境变量	`READ`	`READ`	✓ 一致	upload.py:9-10 - Reads TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID, declared in SKIL…

2 项发现

🔗

中危外部 URL 外部 URL

https://t.me/BotFather

SKILL.md:12

🔗

中危外部 URL 外部 URL

https://api.telegram.org/bot

upload.py:22

2 文件 · 2.5 KB · 82 行

Python 1f · 42L Markdown 1f · 40L

├─ 📝 SKILL.md Markdown 40L · 1.4 KB

└─ 🐍 upload.py Python 42L · 1.1 KB

包名	版本	来源	已知漏洞	备注
`requests`	`*`	import	否	Version not pinned - consider adding requirements.txt

✓ All capabilities declared in SKILL.md match actual implementation

✓ No credential exfiltration - tokens only used for Telegram API authentication

✓ File path validated before reading (prevents path traversal)

✓ Only .md files accepted (extension validation)

✓ Clean, readable code with no obfuscation

✓ No shell execution, subprocess, or system command calls

✓ No sensitive file access (no ~/.ssh, ~/.aws, .env reading)

✓ No hidden instructions or prompt injection

✓ No base64 or encoded payloads

✓ Uses standard HTTPS for API communication