← Back to Skills Marketplace

Telegram Media

Name: Telegram Media
Author: ryandeangraves

by ryandeangraves · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

716

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install telegram-media

Description

Send generated charts, photos, documents, and ElevenLabs TTS voice clips securely through Telegram using executed shell commands.

Usage Guidance

This skill will run shell/python commands from ~/clawd, load a .env (via load_env.py) and expects TELEGRAM and ElevenLabs credentials even though the registry doesn't list them. Before installing: 1) Confirm the source of load_env.py and crypto_charts.py and inspect their code — they may read and send arbitrary files. 2) Put only the minimal credentials needed into a dedicated .env for this skill (use a Telegram bot token limited to a single chat or a throwaway bot). 3) Avoid placing unrelated secrets in the same .env or ~/clawd. 4) If possible, run the skill in an isolated environment (container) and disable autonomous invocation until you trust the scripts. 5) Ask the publisher to update the registry to declare the required env vars and to document exactly which files the skill will read and send.

Capability Analysis

Type: OpenClaw Skill Name: telegram-media Version: 1.0.0 The skill's core functionality (sending media via Telegram, generating voice notes) is benign. However, the `SKILL.md` contains multiple `python3 -c "..."` command templates that incorporate placeholders for file paths (`PHOTO_PATH`, `FILE_PATH`), captions (`CAPTION_HERE`), and text (`TEXT_TO_SPEAK`). If an AI agent directly interpolates untrusted user input into these placeholders without proper sanitization, it could lead to shell injection, allowing arbitrary command execution. This represents a significant vulnerability (lack of input sanitization) in the skill's design, classifying it as suspicious.

Capability Assessment

ℹ Purpose & Capability

The SKILL.md behavior (sending photos, documents, generated charts, and ElevenLabs TTS via Telegram) is consistent with the stated purpose. However the registry declares no required environment variables while the runtime instructions explicitly require TELEGRAM_TOKEN, TELEGRAM_CHAT_ID, ELEVEN_API_KEY (or ELEVENLABS_API_KEY), and ELEVEN_VOICE_ID via load_env and a .env file — an inconsistency that should be corrected.

⚠ Instruction Scope

Instructions mandate executing shell/exec commands from ~/clawd, import a local load_env.py (which reads .env), run arbitrary local scripts (e.g., crypto_charts.py), read arbitrary files (PHOTO_PATH, FILE_PATH, charts/...), write temp files (/tmp/frank_voice.mp3), and post the results to external APIs. That gives the skill the ability to read and transmit any file under ~/clawd and any secrets present in .env — behavior broader than a minimal 'send media' skill and worthy of caution.

✓ Install Mechanism

Instruction-only skill with no install spec and no code files in the registry — lowest install risk. Nothing is downloaded or written by an installer step in the skill manifest.

⚠ Credentials

The runtime requires bot and TTS API credentials, which are appropriate for Telegram + ElevenLabs functionality. However the registry fails to declare these required env vars. More importantly, the use of load_env.py to load a .env file means any other secrets in that .env (or files under ~/clawd) could be read and sent — requesting access to an entire .env is disproportionate unless limited and documented.

ℹ Persistence & Privilege

The skill is not always-enabled and has no installation step. The platform-default autonomous invocation is allowed; by itself this is normal, but combined with the ability to read local files and .env and then send data externally it increases potential blast radius. Consider restricting autonomous invocation or providing a tightly-scoped bot token before enabling.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install telegram-media
After installation, invoke the skill by name or use /telegram-media
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release — enables rich media delivery via Telegram, including charts, voice notes, and files. - Provides step-by-step bash/python recipes for sending images, documents, and voice notes to Telegram. - Supports on-demand chart generation for multiple assets and automated chart delivery. - Integrates ElevenLabs TTS for generating and sending voice clips as Telegram voice messages. - Enforces critical rule: all commands must be executed for real, never faked. - Includes clear usage guidance for when and how to use each feature.

Metadata

Slug telegram-media

Version 1.0.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Telegram Media?

Send generated charts, photos, documents, and ElevenLabs TTS voice clips securely through Telegram using executed shell commands. It is an AI Agent Skill for Claude Code / OpenClaw, with 716 downloads so far.

How do I install Telegram Media?

Run "/install telegram-media" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Telegram Media free?

Yes, Telegram Media is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Telegram Media support?

Telegram Media is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Telegram Media?

It is built and maintained by ryandeangraves (@ryandeangraves); the current version is v1.0.0.

More Skills