← Back to Skills Marketplace
130
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install mobazha-subdomain-bot-config
Description
Set up a custom domain and Telegram Bot for a Mobazha store. Use when the user wants to configure DNS, TLS, or a Telegram Mini App storefront.
Usage Guidance
This skill appears to do what it says (set up DNS/TLS and connect a Telegram bot), but exercise caution before running any of the commands. Key risks and actions:
- Avoid piping unknown scripts to sudo bash. Instead, download the installer, inspect it, and verify checksums/signatures (ask the vendor for release hashes) before executing. Consider running it in an isolated VM or container first.
- Confirm you trust get.mobazha.org (project homepage or repository) — the skill metadata lacks a source/homepage. Ask the publisher for a canonical repository or release page.
- Do not paste BotFather tokens or other secrets into untrusted chat windows. If an agent asks you for a token, prefer manual entry into the store admin panel rather than sharing it in conversation.
- If you must use this skill, ask the maintainer for safer installation options (package with checksums, signed releases, or an audited installer) and clear instructions for secure token handling.
If you want, I can: (a) produce a safer install checklist you can follow, (b) draft specific verification steps to validate the installer, or (c) suggest exact questions to ask the skill author/maintainer before proceeding.
Capability Analysis
Type: OpenClaw Skill
Name: mobazha-subdomain-bot-config
Version: 0.2.0
The skill bundle provides instructions for configuring a Mobazha store, including domain setup and Telegram bot integration. It contains a high-risk installation pattern in `SKILL.md` that uses `curl | sudo bash` to execute a remote script from `https://get.mobazha.org/standalone`. Although the documentation includes proactive security instructions for the agent regarding credential handling and user consent, the recommendation to execute unverified remote scripts with root privileges is a significant security risk that aligns with the 'suspicious' classification for risky capabilities.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description (domain + Telegram bot setup for a Mobazha store) align with the commands and steps in SKILL.md (DNS records, mobazha-ctl, mobazha start, BotFather flow). The requested capabilities are proportional to the stated purpose (no unrelated credentials or binaries are requested).
Instruction Scope
SKILL.md instructs executing network-fetched install commands (curl -sSL https://get.mobazha.org/standalone | sudo bash -s -- --domain ...) and running admin commands that require elevated privileges. There is no guidance to verify the downloaded script (no checksum or signature), and though the doc says to ask for explicit consent before accepting tokens, it leaves agent behavior open-ended. These instructions give broad authority to execute remote code and handle secrets, which is out-of-band risk for an instruction-only skill.
Install Mechanism
There is no formal install spec, but the documented installation method (pipe a remote script into sudo bash from get.mobazha.org) is equivalent to downloading and executing arbitrary code from the network without checksum/signature. Even if get.mobazha.org is the project's host, lack of verification and use of a single-line pipe makes the flow a high-risk install mechanism.
Credentials
The skill does not request environment variables or credentials in metadata (proportionate). However, the runtime instructions expect the operator/agent to accept and use a BotFather token for configuration. The doc warns not to store or transmit tokens, but there is no technical enforcement; users/agents might be asked to paste tokens into chat or run commands that consume them. This is a potential sensitive-data handling risk even though no env vars are declared.
Persistence & Privilege
The skill is user-invocable and not always-on; it does not request persistent privileges or modification of other skills' configs. There is no install-time persistence declared by the skill itself. The only persistence risk arises from the remote installer it recommends (which could write long-lived services on the host).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install mobazha-subdomain-bot-config - After installation, invoke the skill by name or use
/mobazha-subdomain-bot-config - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.0
Require explicit consent before connecting; strengthen credential handling
v0.1.0
Initial release
Metadata
Frequently Asked Questions
What is Subdomain Bot Config?
Set up a custom domain and Telegram Bot for a Mobazha store. Use when the user wants to configure DNS, TLS, or a Telegram Mini App storefront. It is an AI Agent Skill for Claude Code / OpenClaw, with 130 downloads so far.
How do I install Subdomain Bot Config?
Run "/install mobazha-subdomain-bot-config" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Subdomain Bot Config free?
Yes, Subdomain Bot Config is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Subdomain Bot Config support?
Subdomain Bot Config is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Subdomain Bot Config?
It is built and maintained by fengzie (@fengzie); the current version is v0.2.0.
More Skills