telegram-group-moderation 安全扫描报告 — 可信 | ClawSafe

0 /100

telegram-group-moderation

Telegram group moderation integration layer: receives webhook events, normalizes messages, calls external moderation core, and executes Telegram moderation actions (delete/warn/mute/ban/review)

This is a legitimate Telegram group moderation integration layer with no malicious behavior, properly scoped permissions, and well-documented external communications.

技能名称telegram-group-moderation

分析耗时40.3s

引擎pi

✓

可以安装

This skill is safe to deploy. Ensure the moderation core endpoint and Telegram bot token are kept in environment variables and that the webhook secret is properly configured in production.

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	All network calls are outbound HTTP POST to Telegram API and configurable modera…
文件系统	`NONE`	`NONE`	—	No filesystem access in any implementation script
命令执行	`NONE`	`NONE`	—	No shell command execution in any implementation script
环境变量	`READ`	`READ`	✓ 一致	All scripts read only Telegram/API tokens via os.getenv / os.Getenv / System.get…
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser access
数据库	`NONE`	`NONE`	—	SQL schemas are reference files only; no DB code executes

1 项发现

🔗

中危外部 URL 外部 URL

https://api.telegram.org

references/install-and-usage.zh-CN.md:98

目录结构

21 文件 · 51.6 KB · 1917 行

Markdown 14f · 1413L Python 1f · 186L Go 1f · 180L Java 1f · 80L JSON 1f · 29L SQL 2f · 27L Text 1f · 2L

├─ ▾ 📁 references

│ ├─ 📝 action-policy.md Markdown 41L · 963 B

│ ├─ 📝 architecture.md Markdown 75L · 1.5 KB

│ ├─ 📝 audit-log-rollout.zh-CN.md Markdown 60L · 1.0 KB

│ ├─ 📄 audit-log-schema-example.sql SQL 19L · 752 B

│ ├─ 📝 clawhub-release-copy.zh-CN.md Markdown 20L · 1.0 KB

│ ├─ 📄 db-schema-example.sql SQL 8L · 311 B

│ ├─ 📋 http-contract-example.json JSON 29L · 649 B

│ ├─ 📝 http-contract-production-v2.zh-CN.md Markdown 47L · 953 B

│ ├─ 📝 http-contract-production.zh-CN.md Markdown 104L · 1.9 KB

│ ├─ 📝 install-and-usage.zh-CN.md Markdown 377L · 7.9 KB

│ ├─ 📝 multi-language-integration.md Markdown 43L · 1.4 KB

│ ├─ 📝 php-yaf-integration.md Markdown 35L · 1.1 KB

│ ├─ 📝 production-rollout.zh-CN.md Markdown 153L · 3.4 KB

│ ├─ 📝 redis-db-offense-store.zh-CN.md Markdown 124L · 2.6 KB

│ ├─ 📝 release-notes.zh-CN.md Markdown 140L · 3.9 KB

│ └─ 📝 telegram-event-mapping.md Markdown 64L · 1.4 KB

├─ ▾ 📁 scripts

│ ├─ ▾ 📁 contracts

│ │ └─ 📄 README.txt Text 2L · 265 B

│ ├─ 📄 go_telegram_webhook_example.go Go 180L · 5.3 KB

│ ├─ 📄 java_telegram_webhook_example.java Java 80L · 3.3 KB

│ └─ 🐍 python_telegram_webhook_example.py Python 186L · 6.1 KB

└─ 📝 SKILL.md Markdown 130L · 5.9 KB

安全亮点

✓ All secrets (bot token, webhook secret, moderation core token) are accessed exclusively through environment variables

✓ Webhook secret validation is implemented and enforced before processing

✓ All network calls use explicit timeouts (10-15s) to prevent resource exhaustion

✓ External network targets are restricted to Telegram API and a configurable moderation core endpoint

✓ SKILL.md correctly documents the integration-layer scope with clear boundaries

✓ Chat allowlist and admin exemption patterns are documented for security-hardened deployments

✓ No obfuscation techniques (base64, eval, atob) are present in any script

✓ No credential harvesting or environment variable enumeration for sensitive keys beyond declared Telegram/API tokens

✓ No shell command execution, reverse shells, or C2 communication patterns detected

✓ All scripts are clearly labeled as examples/demos, not production-ready final code