Scan Report
0 /100
telegram-group-moderation
Telegram group moderation integration layer: receives webhook events, normalizes messages, calls external moderation core, and executes Telegram moderation actions (delete/warn/mute/ban/review)
This is a legitimate Telegram group moderation integration layer with no malicious behavior, properly scoped permissions, and well-documented external communications.
Safe to install
This skill is safe to deploy. Ensure the moderation core endpoint and Telegram bot token are kept in environment variables and that the webhook secret is properly configured in production.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | All network calls are outbound HTTP POST to Telegram API and configurable modera… |
| Filesystem | NONE | NONE | — | No filesystem access in any implementation script |
| Shell | NONE | NONE | — | No shell command execution in any implementation script |
| Environment | READ | READ | ✓ Aligned | All scripts read only Telegram/API tokens via os.getenv / os.Getenv / System.get… |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser access |
| Database | NONE | NONE | — | SQL schemas are reference files only; no DB code executes |
1 findings
Medium External URL 外部 URL
https://api.telegram.org references/install-and-usage.zh-CN.md:98 File Tree
21 files · 51.6 KB · 1917 lines Markdown 14f · 1413L
Python 1f · 186L
Go 1f · 180L
Java 1f · 80L
JSON 1f · 29L
SQL 2f · 27L
Text 1f · 2L
├─
▾
references
│ ├─
action-policy.md
Markdown
│ ├─
architecture.md
Markdown
│ ├─
audit-log-rollout.zh-CN.md
Markdown
│ ├─
audit-log-schema-example.sql
SQL
│ ├─
clawhub-release-copy.zh-CN.md
Markdown
│ ├─
db-schema-example.sql
SQL
│ ├─
http-contract-example.json
JSON
│ ├─
http-contract-production-v2.zh-CN.md
Markdown
│ ├─
http-contract-production.zh-CN.md
Markdown
│ ├─
install-and-usage.zh-CN.md
Markdown
│ ├─
multi-language-integration.md
Markdown
│ ├─
php-yaf-integration.md
Markdown
│ ├─
production-rollout.zh-CN.md
Markdown
│ ├─
redis-db-offense-store.zh-CN.md
Markdown
│ ├─
release-notes.zh-CN.md
Markdown
│ └─
telegram-event-mapping.md
Markdown
├─
▾
scripts
│ ├─
▾
contracts
│ │ └─
README.txt
Text
│ ├─
go_telegram_webhook_example.go
Go
│ ├─
java_telegram_webhook_example.java
Java
│ └─
python_telegram_webhook_example.py
Python
└─
SKILL.md
Markdown
Security Positives
✓ All secrets (bot token, webhook secret, moderation core token) are accessed exclusively through environment variables
✓ Webhook secret validation is implemented and enforced before processing
✓ All network calls use explicit timeouts (10-15s) to prevent resource exhaustion
✓ External network targets are restricted to Telegram API and a configurable moderation core endpoint
✓ SKILL.md correctly documents the integration-layer scope with clear boundaries
✓ Chat allowlist and admin exemption patterns are documented for security-hardened deployments
✓ No obfuscation techniques (base64, eval, atob) are present in any script
✓ No credential harvesting or environment variable enumeration for sensitive keys beyond declared Telegram/API tokens
✓ No shell command execution, reverse shells, or C2 communication patterns detected
✓ All scripts are clearly labeled as examples/demos, not production-ready final code