← Back to Skills Marketplace
orchestration, telegram, cron
by
Kiril-Shturman
· GitHub ↗
· v1.0.0
· MIT-0
203
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install pm-dev-orchestrator
Description
Orchestrate a PM bot and one or more Dev bots in a private Telegram group. Use to turn plain chat commands like "DEV skill install <slug>" and "DEV cron add...
Usage Guidance
Before installing or running this skill, consider the following:
- Metadata mismatch: The registry declares no required env vars, but SKILL.md requires GROUP_CHAT_ID, PM_FROM_ID and DEV_BOT_TOKEN and asks you to edit ~/.openclaw/openclaw.json. Treat DEV_BOT_TOKEN as a sensitive secret — the package should have declared it.
- Trust boundary: This setup lets a trusted PM bot trigger local CLI commands (clawhub install/update, openclaw cron add/run). If PM_FROM_ID or group configuration is wrong or spoofed, an attacker could cause the Dev server to install arbitrary skills or run cron jobs. Only enable this in a private, well-controlled group and verify PM_FROM_ID carefully.
- CLI outputs may leak secrets: The scaffold returns CLI stdout/stderr (truncated). Ensure clawhub/openclaw commands do not print secrets in outputs before forwarding replies into chat.
- Review installed skills: clawhub install pulls and installs third-party skill code that will run on your server. Consider using an isolated environment or manual review process for newly installed skills.
- Filesystem writes: The script writes temporary job JSON into the workspace and suggests editing openclaw config. Back up configs and ensure workspace path permissions are appropriate.
- Use the included script only for testing: scripts/dev_executor.py is a scaffold that reads stdin or prints parse results; it does not itself integrate with Telegram APIs (intentionally). Integrate only via controlled wrappers and prefer OpenClaw's own gateway allowlist mechanism rather than running an always-on unreviewed daemon.
If you want to proceed: ask the author to update the package metadata to declare the required credentials (mark DEV_BOT_TOKEN as primaryEnv), and consider performing an audit of any ClawHub packages you allow the Dev bot to install. If you want to be safer, run the Dev bot in an isolated VM/container and restrict network/volume access.
Capability Analysis
Type: OpenClaw Skill
Name: pm-dev-orchestrator
Version: 1.0.0
The skill provides a remote administration interface for an OpenClaw instance via Telegram, allowing for skill installation and cron job management. While the implementation in `scripts/dev_executor.py` and the instructions in `SKILL.md` include safety measures such as Telegram ID allowlisting and restricted command sets, the capability to remotely install code and manage system persistence (cron) is inherently high-risk. The script uses `subprocess.run` safely to avoid shell injection, but the overall functionality constitutes a powerful remote control mechanism that could be abused if the upstream 'PM bot' is compromised.
Capability Assessment
Purpose & Capability
The SKILL.md and scripts implement a Dev-bot executor for Telegram commands (skill and cron management) which aligns with the skill name/description. However the registry lists no required env vars/configs while SKILL.md clearly requires GROUP_CHAT_ID, PM_FROM_ID and DEV_BOT_TOKEN and also instructs edits to ~/.openclaw/openclaw.json and restarting the gateway — a metadata vs. runtime-config mismatch that should have been declared.
Instruction Scope
Instructions are narrowly scoped to reading Telegram group messages, allowlisting the PM sender, and invoking local CLIs (clawhub, openclaw cron). That matches the stated purpose. Caveats: the runtime will execute local CLI commands (which may install/modify code on disk) and capture CLI output (the script truncates and emits CLI output back as chat replies), so CLI outputs could inadvertently reveal secrets or sensitive information unless operators ensure CLI behavior is safe.
Install Mechanism
No install spec — instruction-only plus a small scaffold script. Nothing is downloaded from external URLs or installed automatically by the skill package itself, so there is no immediate supply-chain install risk from this bundle.
Credentials
The SKILL.md demands a Telegram bot token (DEV_BOT_TOKEN) and numeric IDs (GROUP_CHAT_ID, PM_FROM_ID) and suggests writing to ~/.openclaw/openclaw.json; yet the registry metadata declares no required env vars or config paths. DEV_BOT_TOKEN is a sensitive credential and should have been declared as primaryEnv. The script also optionally uses OPENCLAW_WORKSPACE and writes a temp JSON file into the workspace — these filesystem accesses are proportional to the task but should be explicitly declared.
Persistence & Privilege
The skill does not request 'always: true' and does not attempt to alter other skills' configs. It instructs editing the OpenClaw gateway config (~/ .openclaw/openclaw.json) which is appropriate for enabling Telegram allowlisting but is a privileged operation and should be performed carefully. Autonomous invocation of commands is part of intended behavior when the Dev bot is configured to run CLI actions.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install pm-dev-orchestrator - After installation, invoke the skill by name or use
/pm-dev-orchestrator - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
pm-dev-orchestrator v1.0.0
- Initial release enabling orchestration between a PM bot and Dev bot in a private Telegram group.
- Supports structured commands to manage ClawHub skills and OpenClaw cron jobs via chat.
- Implements strict command parsing and safety rules to prevent unauthorized actions.
- Provides clear configuration and behavioral contracts to ensure secure execution.
- Includes a scaffold script for command parsing and local execution on the Dev side.
Metadata
Frequently Asked Questions
What is orchestration, telegram, cron?
Orchestrate a PM bot and one or more Dev bots in a private Telegram group. Use to turn plain chat commands like "DEV skill install <slug>" and "DEV cron add... It is an AI Agent Skill for Claude Code / OpenClaw, with 203 downloads so far.
How do I install orchestration, telegram, cron?
Run "/install pm-dev-orchestrator" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is orchestration, telegram, cron free?
Yes, orchestration, telegram, cron is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does orchestration, telegram, cron support?
orchestration, telegram, cron is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created orchestration, telegram, cron?
It is built and maintained by Kiril-Shturman (@kiril-shturman); the current version is v1.0.0.
More Skills