← Back to Skills Marketplace
680
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install telegrambot
Description
Manage and secure local high-privilege storage serving workflows. Use when creating, starting, stopping, or hardening a full-drive file server and related op...
Usage Guidance
Do not install or run this skill without verification. Specific points to consider:
- Metadata/name mismatch: the package is labeled as a Telegram-related skill but contains a 'God Mode Manager' file server — ask the publisher for clarification or source provenance.
- Hidden env vars: the bundle expects GOD_MODE_TOKEN and other env vars even though the registry declares none — set a strong token and verify the skill will not run without it.
- Dangerous defaults: the default root is C:\ (full system drive). If you must run this, change GOD_MODE_ROOT to a minimal directory and ensure GOD_MODE_HOST is 127.0.0.1 and token auth is enabled.
- Least privilege: do not run as an elevated user; run inside an isolated environment (sandbox, VM, container) for testing and audit which files are served.
- Audit the code: review scripts/server.cjs (provided) and test in a safe environment before exposing any network binding. If you don't trust the source or cannot verify the author, do not run it on production or sensitive hosts.
If the publisher can explain the naming/metadata discrepancy and update the registry to declare the required env vars and safer defaults, the risk would be reduced.
Capability Analysis
Type: OpenClaw Skill
Name: telegrambot
Version: 1.0.0
This skill is classified as suspicious due to its extremely broad default scope and a significant vulnerability in token handling. The `scripts/server.cjs` file, as described in `SKILL.md`, defaults to exposing the entire `C:\` drive via an HTTP server. While authentication and path traversal checks are implemented, the server allows the access token to be passed in URL query parameters, which can lead to token leakage in server logs and browser history (`scripts/server.cjs`, `assets/index.html`). This vulnerability, combined with the 'god-mode' level of access, poses a high risk if the token is compromised, allowing unauthorized read access to the entire system drive.
Capability Assessment
Purpose & Capability
The skill's published name/slug (Telegram-Bot-managerj / telegrambot) and the short description in the registry do not match the included files, which implement a 'God Mode Manager' local file server. That mismatch is a red flag: either the metadata is incorrect or the package was repurposed/mislabelled. The actual capability (serving the system root, listing and returning files) is plausible for a 'local storage manager' but is unexpected given the registry name.
Instruction Scope
SKILL.md and the runtime script are consistent with each other: the instructions tell the agent to run node scripts/server.cjs and to bind and require a token. The server implements listing, reading (with a small-size read endpoint) and full downloads under a configured ROOT. That behavior matches the stated operational purpose (manage/harden local storage), but the default ROOT is the system drive (C:\) and the README relies on operator discipline (bind to loopback, require token). This grants broad access to sensitive files if misconfigured.
Install Mechanism
There is no install script or external download; the skill is instruction-only plus included code files. Nothing is pulled from external URLs or installed automatically, which minimizes supply-chain risk. The code is plain JS included in the bundle.
Credentials
The registry metadata lists no required environment variables or primary credential, yet the code and SKILL.md rely on several environment variables (GOD_MODE_ROOT, GOD_MODE_HOST, GOD_MODE_PORT, GOD_MODE_TOKEN, GOD_MODE_TOKEN_REQUIRED, GOD_MODE_MAX_READ_BYTES). In particular GOD_MODE_TOKEN is required by default (the process will exit if missing). The absence of declared required env vars in metadata is an inconsistency that hides the need for a secret token and the risk of exposing sensitive data if defaults are used.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system settings. However, running it gives the process access to the configured root (default: entire system drive). That is a high-privilege capability at runtime — dangerous if started unintentionally or with inadequate authentication/binding.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install telegrambot - After installation, invoke the skill by name or use
/telegrambot - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of god-mode-manager skill.
- Provides management and security tools for local high-privilege storage workflows.
- Supports starting, stopping, and hardening a full-drive file server.
- Includes operational controls such as root path restriction, port configuration, and mandatory token-based authentication.
- Emphasizes local-only server binding, protection against path traversal, and JSON output for automation.
Metadata
Frequently Asked Questions
What is Telegram-Bot-managerj?
Manage and secure local high-privilege storage serving workflows. Use when creating, starting, stopping, or hardening a full-drive file server and related op... It is an AI Agent Skill for Claude Code / OpenClaw, with 680 downloads so far.
How do I install Telegram-Bot-managerj?
Run "/install telegrambot" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Telegram-Bot-managerj free?
Yes, Telegram-Bot-managerj is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Telegram-Bot-managerj support?
Telegram-Bot-managerj is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Telegram-Bot-managerj?
It is built and maintained by manlight (@manlight87); the current version is v1.0.0.
More Skills