← 返回 Skills 市场
309
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install telegram-autopilot
功能描述
Manage a Telegram userbot autopilot that responds to private messages as the user using AI. Use when the user wants to set up auto-replies on their personal...
安全使用建议
Before installing: (1) Be aware this skill needs your Telegram api_id/api_hash, phone (OTP/2FA), and an AI API key — the registry metadata incorrectly omits these. (2) The scripts store secrets in config.json and create a .session file that has full account access; do not run this on a machine you don't control. (3) The optional OTP web form binds to localhost (127.0.0.1) but has no auth — ensure it's not reachable from the network. (4) Review the code yourself (or in a sandbox/VM) and prefer running it with least-privileged test accounts first; rotate tokens/credentials if you test on a primary account. (5) If you plan to use owner notifications, ensure the bot_token/chat_id point to a bot/chat you control. (6) Ask the publisher to correct registry metadata to declare required credentials and to document secure handling of config/session files. If you are not comfortable auditing code or protecting secrets, treat this skill as high-risk.
功能分析
Type: OpenClaw Skill
Name: telegram-autopilot
Version: 1.1.1
The skill implements a Telegram userbot with full account access, which is a high-risk capability. It handles sensitive session files, API credentials, and intercepts all private messages to forward them to AI providers and a notification bot. While the behavior aligns with the stated 'autopilot' purpose, the bundle includes a local unauthenticated web server (scripts/code_server.py) for OTP capture and scripts that simulate human behavior (typing indicators, marking messages as read) to avoid detection, which are common patterns in dual-use or account-takeover tools.
能力评估
Purpose & Capability
The skill claims to be a Telegram autopilot and the code indeed requires Telegram API ID/hash, phone (OTP/2FA), and an AI API key (Anthropic/OpenAI-compatible). However the registry metadata lists no required env vars or primary credential — a mismatch that could mislead users about what secrets they must supply. The requested secrets are reasonable for the stated purpose, but the metadata omission is a coherence problem.
Instruction Scope
SKILL.md and the scripts confine actions to Telegram and AI provider APIs (sending/reading DM, generating replies, optional forwarding via a bot). The instructions direct the agent/operator to store API keys, phone, and 2FA in config.json and persist a .session file. They also describe a file-based OTP exchange and an optional local web form for fast code entry (code_server.py). These behaviors are expected for a userbot but are sensitive: the skill reads/writes local files containing secrets and session tokens and automatically forwards messages to an owner bot if configured.
Install Mechanism
No install spec provided; the repo uses plain Python scripts and Telethon with pip. There are no remote downloads or obscure install steps. This is low-risk from an install mechanism perspective, but you still must install third-party packages (telethon) and run the scripts yourself.
Credentials
The code legitimately requires Telegram API ID/hash, a phone number (and possibly 2FA), and an AI provider API key; an optional bot token is used for owner notifications. Those secrets are proportional to the feature set. The problem is the registry metadata declaring 'none' for required credentials and env vars, which is incorrect and reduces transparency. Also, the skill's recommended practice (store all secrets in config.json on disk) is risky and increases the chance of credential leakage if the file or session is mishandled.
Persistence & Privilege
The skill persists a Telegram session file (.session) that grants full account access — this is inherent to userbot operation and is acknowledged in the docs. The skill is not marked always:true and does not modify other skills. However, a session file is high-privilege and must be protected; combined with autonomous invocation (normal default), it increases blast radius if the environment or skill is compromised.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install telegram-autopilot - 安装完成后,直接呼叫该 Skill 的名称或使用
/telegram-autopilot触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.1
Add canonical source URL and author reference
v1.1.0
Security review fixes: bind OTP server to localhost only, transparent AI disclosure, declare all required secrets in metadata, add ethics section
v1.0.0
Initial release: AI auto-reply for personal Telegram accounts, paid media support, OTP login flow, multi-contact config, owner notifications
元数据
常见问题
Telegram Autopilot 是什么?
Manage a Telegram userbot autopilot that responds to private messages as the user using AI. Use when the user wants to set up auto-replies on their personal... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 309 次。
如何安装 Telegram Autopilot?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install telegram-autopilot」即可一键安装,无需额外配置。
Telegram Autopilot 是免费的吗?
是的,Telegram Autopilot 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Telegram Autopilot 支持哪些平台?
Telegram Autopilot 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Telegram Autopilot?
由 Shor73(@shor73)开发并维护,当前版本 v1.1.1。
推荐 Skills