Telegram Import

Incrementally import Telegram messages from SQLite to LanceDB with Qwen3-Embedding-4B vectors, supporting checkpoint resume and filtering empty messages.

This skill is coherent with its stated purpose, but review these before running: 1) Paths: the script hardcodes Windows paths (e.g., D:\chat\telegram_messages.db and D:\edata.lance). Update them if your files live elsewhere or run in an environment that matches these paths. 2) Dependencies: install the required Python packages (requests, numpy, pyarrow, lance) in a controlled virtual environment. 3) Local embedding service: the embedding endpoint is http://127.0.0.1:1234 — ensure LM Studio (or another compatible service) is running locally and you trust it. 4) Checkpoint safety: the script uses pickle.load to read the checkpoint file; unpickling untrusted files can execute arbitrary code. Only reuse checkpoints you created/trust; if you expect untrusted inputs, replace pickle with a safe format (JSON) or validate the checkpoint file before loading. 5) Backups & permissions: the script will read your Telegram DB and write into the LanceDB directory; back up data and run with appropriate filesystem permissions. If you want higher assurance, inspect and test the script in an isolated VM or container before running on sensitive data.

Type: OpenClaw Skill Name: telegram-import Version: 1.0.0 The skill contains security vulnerabilities that could be exploited, specifically the use of 'pickle.load()' in 'scripts/chunk_db.py' to handle checkpoint files, which allows for arbitrary code execution if the checkpoint file is tampered with. Additionally, the script uses f-strings for SQL table and column names, which is a poor practice that can lead to SQL injection. While these behaviors appear to be unintentional flaws in a tool designed for local data processing, they meet the criteria for 'suspicious' due to the presence of high-risk vulnerabilities without clear evidence of malicious intent.