CommunityOS Telegram Bot Skill Security Report — Low Risk | ClawSafe

20 /100

CommunityOS Telegram Bot Skill

Simple Telegram Bot management with LLM and knowledge base. Local-only, no external dependencies.

A legitimate Telegram bot management tool with minor security concerns: hardcoded auth bypass, undeclared subprocess spawning, and undocumented filesystem write operations, but no evidence of malicious behavior or credential exfiltration.

Skill NameCommunityOS Telegram Bot Skill

Duration49.5s

Enginepi

✓

Safe to install

Review and fix the require_auth() function to enforce actual authentication. Document all filesystem and shell operations in SKILL.md. Consider pinning dependency versions.

Findings 5 items

Severity	Finding	Location
Medium	Hardcoded authentication bypass The require_auth() function at admin/app.py:232 always returns 'admin' without any verification. The login endpoint exists but is never enforced. This is explicitly documented ('No Built-in Auth') but creates a significant vulnerability if the admin UI is accessed by unauthorized users. `def require_auth(request: Request) -> str: # 跳过登录验证，直接返回默认用户 return 'admin'` → Remove the bypass comment and implement actual session validation, or ensure the admin UI is strictly localhost-only.	`admin/app.py:232`
Low	Undeclared subprocess execution The SKILL.md does not mention that the skill can spawn background processes via subprocess.Popen to run the Telegram polling service. `process = subprocess.Popen([sys.executable, str(BASE_DIR / 'admin' / 'telegram_runner.py')])` → Document subprocess spawning capability in SKILL.md under Features or Architecture.	`admin/app.py:1128`
Low	Undocumented filesystem WRITE operations SKILL.md declares filesystem access implicitly through file upload features but does not explicitly document the full scope: file uploads, JSON persistence, ChromaDB writes, and directory deletion via shutil.rmtree. `filepath.write_bytes(content) # file upload` → Add explicit filesystem WRITE declaration in SKILL.md or move sensitive operations to a separate skill.	`admin/app.py:864`
Low	Unpinned dependencies requirements.txt does not pin versions for any packages, which could lead to supply chain issues if untrusted versions are installed. `fastapi==0.109.0 requests==2.31.0 ...` → Pin exact versions or minimum versions for all dependencies.	`requirements.txt:1`
Info	Example domain URLs in default config Default bot configs reference 'https://api.example.com/news' and 'https://feeds.example.com/web3' which are example domains, not actual exfiltration targets. `api_endpoint: 'https://api.example.com/news'` → No action needed - these are clearly example URLs for broadcast configuration.	`admin/app.py:142`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`WRITE`	✗ Violation	admin/app.py:132 - save_json() writes JSON files; admin/app.py:864 - file upload…
Shell	`NONE`	`WRITE`	✗ Violation	admin/app.py:1128-1133 - subprocess.Popen spawns telegram_runner.py
Network	`READ`	`READ`	✓ Aligned	httpx/requests calls to api.telegram.org
Environment	`READ`	`READ`	✓ Aligned	os.environ.get() for API keys
Skill Invoke	`NONE`	`NONE`	—	N/A
Clipboard	`NONE`	`NONE`	—	N/A
Browser	`NONE`	`NONE`	—	N/A
Database	`NONE`	`WRITE`	✗ Violation	ChromaDB vector store writes to chroma_db/ directory

5 findings

🔗

Medium External URL 外部 URL

https://api.example.com/news

admin/app.py:142

🔗

Medium External URL 外部 URL

https://feeds.example.com/web3

admin/app.py:164

🔗

Medium External URL 外部 URL

https://api.telegram.org/bot

admin/app.py:463

🔗

Medium External URL 外部 URL

https://your-domain/api/telegram/webhook/

admin/app.py:1208

🔗

Medium External URL 外部 URL

https://api.example.com/v1

admin/lite.html:167

File Tree

12 files · 106.3 KB · 2632 lines

Python 6f · 1822L HTML 1f · 529L JSON 2f · 144L Markdown 2f · 130L Text 1f · 7L

├─ ▾ 📁 admin

│ ├─ 🐍 app.py Python 1320L · 59.7 KB

│ ├─ 📄 lite.html HTML 529L · 21.0 KB

│ └─ 🐍 telegram_runner.py Python 159L · 5.6 KB

├─ ▾ 📁 bot_engine

│ ├─ 🐍 __init__.py Python 1L · 25 B

│ ├─ 🐍 bot_instance.py Python 117L · 3.9 KB

│ ├─ 🐍 config_parser.py Python 63L · 2.3 KB

│ └─ 🐍 manager.py Python 162L · 6.3 KB

├─ ▾ 📁 config

│ └─ 📋 openclaw.json JSON 131L · 3.7 KB

├─ 📋 _meta.json JSON 13L · 425 B

├─ 📝 README.md Markdown 69L · 1.6 KB

├─ 📄 requirements.txt Text 7L · 129 B

└─ 📝 SKILL.md Markdown 61L · 1.7 KB

Dependencies 5 items

Package	Version	Source	Known Vulns	Notes
`fastapi`	`0.109.0`	pip	No	Version pinned
`uvicorn`	`0.27.0`	pip	No	Version pinned
`requests`	`2.31.0`	pip	No	Version pinned
`chromadb`	`0.4.22`	pip	No	Version pinned
`pyyaml`	`6.0.1`	pip	No	Version pinned

Security Positives

✓ No credential exfiltration - API keys are only used locally for LLM/Telegram API calls

✓ No base64-encoded commands or obfuscated shell execution

✓ No access to sensitive paths like ~/.ssh or ~/.aws

✓ No reverse shell, C2 communications, or data theft behavior

✓ Local-only operation documented (127.0.0.1 binding)

✓ External URLs use example.com domains, not real exfiltration endpoints

✓ File operations are standard web application patterns (upload/download/delete)

Scan Report

Findings 5 items

File Tree

Dependencies 5 items

Security Positives