← Back to Skills Marketplace
309
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install telegram-autopilot
Description
Manage a Telegram userbot autopilot that responds to private messages as the user using AI. Use when the user wants to set up auto-replies on their personal...
Usage Guidance
Before installing: (1) Be aware this skill needs your Telegram api_id/api_hash, phone (OTP/2FA), and an AI API key — the registry metadata incorrectly omits these. (2) The scripts store secrets in config.json and create a .session file that has full account access; do not run this on a machine you don't control. (3) The optional OTP web form binds to localhost (127.0.0.1) but has no auth — ensure it's not reachable from the network. (4) Review the code yourself (or in a sandbox/VM) and prefer running it with least-privileged test accounts first; rotate tokens/credentials if you test on a primary account. (5) If you plan to use owner notifications, ensure the bot_token/chat_id point to a bot/chat you control. (6) Ask the publisher to correct registry metadata to declare required credentials and to document secure handling of config/session files. If you are not comfortable auditing code or protecting secrets, treat this skill as high-risk.
Capability Analysis
Type: OpenClaw Skill
Name: telegram-autopilot
Version: 1.1.1
The skill implements a Telegram userbot with full account access, which is a high-risk capability. It handles sensitive session files, API credentials, and intercepts all private messages to forward them to AI providers and a notification bot. While the behavior aligns with the stated 'autopilot' purpose, the bundle includes a local unauthenticated web server (scripts/code_server.py) for OTP capture and scripts that simulate human behavior (typing indicators, marking messages as read) to avoid detection, which are common patterns in dual-use or account-takeover tools.
Capability Assessment
Purpose & Capability
The skill claims to be a Telegram autopilot and the code indeed requires Telegram API ID/hash, phone (OTP/2FA), and an AI API key (Anthropic/OpenAI-compatible). However the registry metadata lists no required env vars or primary credential — a mismatch that could mislead users about what secrets they must supply. The requested secrets are reasonable for the stated purpose, but the metadata omission is a coherence problem.
Instruction Scope
SKILL.md and the scripts confine actions to Telegram and AI provider APIs (sending/reading DM, generating replies, optional forwarding via a bot). The instructions direct the agent/operator to store API keys, phone, and 2FA in config.json and persist a .session file. They also describe a file-based OTP exchange and an optional local web form for fast code entry (code_server.py). These behaviors are expected for a userbot but are sensitive: the skill reads/writes local files containing secrets and session tokens and automatically forwards messages to an owner bot if configured.
Install Mechanism
No install spec provided; the repo uses plain Python scripts and Telethon with pip. There are no remote downloads or obscure install steps. This is low-risk from an install mechanism perspective, but you still must install third-party packages (telethon) and run the scripts yourself.
Credentials
The code legitimately requires Telegram API ID/hash, a phone number (and possibly 2FA), and an AI provider API key; an optional bot token is used for owner notifications. Those secrets are proportional to the feature set. The problem is the registry metadata declaring 'none' for required credentials and env vars, which is incorrect and reduces transparency. Also, the skill's recommended practice (store all secrets in config.json on disk) is risky and increases the chance of credential leakage if the file or session is mishandled.
Persistence & Privilege
The skill persists a Telegram session file (.session) that grants full account access — this is inherent to userbot operation and is acknowledged in the docs. The skill is not marked always:true and does not modify other skills. However, a session file is high-privilege and must be protected; combined with autonomous invocation (normal default), it increases blast radius if the environment or skill is compromised.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install telegram-autopilot - After installation, invoke the skill by name or use
/telegram-autopilot - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.1
Add canonical source URL and author reference
v1.1.0
Security review fixes: bind OTP server to localhost only, transparent AI disclosure, declare all required secrets in metadata, add ethics section
v1.0.0
Initial release: AI auto-reply for personal Telegram accounts, paid media support, OTP login flow, multi-contact config, owner notifications
Metadata
Frequently Asked Questions
What is Telegram Autopilot?
Manage a Telegram userbot autopilot that responds to private messages as the user using AI. Use when the user wants to set up auto-replies on their personal... It is an AI Agent Skill for Claude Code / OpenClaw, with 309 downloads so far.
How do I install Telegram Autopilot?
Run "/install telegram-autopilot" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Telegram Autopilot free?
Yes, Telegram Autopilot is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Telegram Autopilot support?
Telegram Autopilot is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Telegram Autopilot?
It is built and maintained by Shor73 (@shor73); the current version is v1.1.1.
More Skills