Telegram Contract Ops

Automate Vietnamese contract creation and eID intake via Telegram by parsing inputs, OCRing ID images, generating .docx contracts, and routing workflows by g...

This skill appears to do what it says (Telegram bot + OCR + docx generation), but there are important inconsistencies to resolve before installing: - The package metadata lists no required env vars or binaries, yet the code requires TELEGRAM_BOT_TOKEN, TELEGRAM_CONTRACT_CHAT_ID, TELEGRAM_MANAGEMENT_CHAT_ID, PLAN_B_OUTPUT_DIR, PLAN_B_TEMPLATE_DOCX and depends on node, python3, and (for OCR) swift/Apple Vision. Treat those as required secrets/runtimes. - Review all scripts locally before running. Pay attention to: execFileSync/child_process calls (the code runs python and swift), file write paths (.state/, plan-b/output, temp .ocr.json), and the Telegram usage (it calls Telegram API directly). These are expected, but verify paths and token usage. - Fix or override hard-coded defaults before deployment: the Python generator contains defaults pointing at /Users/vtammm/.openclaw/workspace which look like developer-specific paths — change these to appropriate, isolated directories so files aren't written into unexpected home directories. - Limit bot token scope and group membership. Use a dedicated Telegram bot token with minimal privileges, add the bot only to intended groups, rotate the token after setup, and store tokens in a local, access-controlled .env file (not checked into source control). - Protect PII and artifacts. OCR outputs, ID images, and mapped JSON contain sensitive personal data; run the skill on a machine with disk encryption, set restrictive file permissions on output/state directories, and implement a cleanup/retention policy. - If you need Plan C OCR on non-macOS, the repository warns the Swift/Apple Vision OCR is macOS-only. Replace or audit any alternate OCR engine before enabling it. If you trust the author and will run the skill in a controlled environment after making the above changes (declare required env vars and runtime binaries in your deployment policy, correct default paths, and secure tokens/artifacts), the code itself is consistent with its stated purpose. If you cannot validate or edit the code and environment, avoid installing it on production systems.

Type: OpenClaw Skill Name: telegram-contract-ops Version: 1.0.1 The skill bundle provides a functional Telegram bot workflow for generating Vietnamese contracts and performing OCR on electronic IDs. While the scripts utilize potentially sensitive operations such as file system access, image downloading from Telegram, and local command execution via 'execFileSync' (in scripts like telegram-planb-bot.js and plan-b-telegram-to-docx.js), these actions are strictly aligned with the stated purpose of the skill. There is no evidence of data exfiltration, unauthorized remote access, or malicious prompt injection. The use of macOS-specific Swift code (plan-c-ocr.swift) for OCR is a legitimate implementation choice for the described environment.