Format and deliver rich Telegram messages with HTML formatting via direct Telegram API. Auto-invoked by the main session for substantive Telegram output — no other skills need to call it. Decision rule: If your Telegram reply is >3 lines or contains structured data (lists, stats, sections, reports), spawn this as a Haiku sub-agent to format and send. Short replies (<3 lines) go directly via OpenClaw message tool. Handles: research summaries, alerts, status updates, reports, briefings, notificati
Security Analysis
medium confidenceThe skill's declared behavior (format and send Telegram messages using a bot token from the local OpenClaw config) matches its instructions and required config access, with only a small documentation mismatch about required binaries.
The skill's name and description match what the SKILL.md instructs: read a specified bot token from the OpenClaw config and send formatted Telegram messages via api.telegram.org. One inconsistency: the registry metadata lists no required binaries, while the SKILL.md metadata and examples require jq and curl. Needing the bot token (channels.telegram.accounts.<account>.botToken) is appropriate for the stated purpose.
Instructions are narrowly scoped to formatting content and using a provided account's botToken from the local OpenClaw config to call Telegram's sendMessage API. The skill explicitly forbids auto-selecting or iterating accounts (caller must provide account name). It uses shell examples (jq/curl) and requires Read/exec tools; these are expected for this task but grant the sub-agent the ability to run commands and read local files — so correct behavior depends on the agent obeying the 'do not auto-select' rule. The SKILL.md also directs returning message_id but not the message contents, which is coherent.
Instruction-only skill with no install spec and no code files — lowest-risk delivery model. Nothing is downloaded or written by an installer.
The only sensitive access required is the Telegram bot token stored in the OpenClaw config at channels.telegram.accounts.<account>.botToken, which is proportional to sending messages. No unrelated credentials or environment variables are requested. The only minor issue is the documentation mismatch about required binaries (jq/curl) vs registry metadata.
The skill is not marked always:true and does not request persistent system-level privileges or modify other skills. It is designed to be spawned as a sub-agent when needed and to read only the specified OpenClaw config path for the provided account.
Guidance
This skill appears to do what it says: format messages and call Telegram's API using a bot token stored in your OpenClaw config. Before installing, confirm: (1) jq and curl are actually available on hosts that will run this skill (SKILL.md uses them, even though the registry metadata omitted them), (2) the OpenClaw config path (~/.openclaw/openclaw.json or ~/.openclaw/clawdbot.json) contains only the bot tokens you expect and has proper filesystem permissions, (3) callers must supply the account name — verify your agent enforces that rule (the skill's safety depends on not auto-iterating accounts), and (4) evaluate whether allowing the sub-agent exec/read tools matches your risk posture (these tools enable the shell examples but could run arbitrary commands if the agent is compromised). If uncertain, test with a throwaway Telegram bot/account and rotate tokens after testing.
Latest Release
v1.0.4
**Summary:** This update requires callers to explicitly specify the Telegram bot account for all deliveries; auto-selection of accounts is no longer allowed. - The bot account name (e.g., "main") must now be provided by the caller for every message; the skill will not auto-select or iterate accounts. - Session/task templates and documentation updated to require explicit `Bot account: <account_name>` specification. - Credentials section and all usage examples revised to validate and use only the specified account. - Added `metadata` with OS, binary, network, and credential requirements. - Improved error handling and validation message if account is missing or invalid. - No runtime/code file changes—documentation only.
More by @tmchow
Published by @tmchow on ClawHub
