← 返回 Skills 市场
Telegram Media
作者
ryandeangraves
· GitHub ↗
· v1.0.0
716
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install telegram-media
功能描述
Send generated charts, photos, documents, and ElevenLabs TTS voice clips securely through Telegram using executed shell commands.
安全使用建议
This skill will run shell/python commands from ~/clawd, load a .env (via load_env.py) and expects TELEGRAM and ElevenLabs credentials even though the registry doesn't list them. Before installing: 1) Confirm the source of load_env.py and crypto_charts.py and inspect their code — they may read and send arbitrary files. 2) Put only the minimal credentials needed into a dedicated .env for this skill (use a Telegram bot token limited to a single chat or a throwaway bot). 3) Avoid placing unrelated secrets in the same .env or ~/clawd. 4) If possible, run the skill in an isolated environment (container) and disable autonomous invocation until you trust the scripts. 5) Ask the publisher to update the registry to declare the required env vars and to document exactly which files the skill will read and send.
功能分析
Type: OpenClaw Skill
Name: telegram-media
Version: 1.0.0
The skill's core functionality (sending media via Telegram, generating voice notes) is benign. However, the `SKILL.md` contains multiple `python3 -c "..."` command templates that incorporate placeholders for file paths (`PHOTO_PATH`, `FILE_PATH`), captions (`CAPTION_HERE`), and text (`TEXT_TO_SPEAK`). If an AI agent directly interpolates untrusted user input into these placeholders without proper sanitization, it could lead to shell injection, allowing arbitrary command execution. This represents a significant vulnerability (lack of input sanitization) in the skill's design, classifying it as suspicious.
能力评估
Purpose & Capability
The SKILL.md behavior (sending photos, documents, generated charts, and ElevenLabs TTS via Telegram) is consistent with the stated purpose. However the registry declares no required environment variables while the runtime instructions explicitly require TELEGRAM_TOKEN, TELEGRAM_CHAT_ID, ELEVEN_API_KEY (or ELEVENLABS_API_KEY), and ELEVEN_VOICE_ID via load_env and a .env file — an inconsistency that should be corrected.
Instruction Scope
Instructions mandate executing shell/exec commands from ~/clawd, import a local load_env.py (which reads .env), run arbitrary local scripts (e.g., crypto_charts.py), read arbitrary files (PHOTO_PATH, FILE_PATH, charts/...), write temp files (/tmp/frank_voice.mp3), and post the results to external APIs. That gives the skill the ability to read and transmit any file under ~/clawd and any secrets present in .env — behavior broader than a minimal 'send media' skill and worthy of caution.
Install Mechanism
Instruction-only skill with no install spec and no code files in the registry — lowest install risk. Nothing is downloaded or written by an installer step in the skill manifest.
Credentials
The runtime requires bot and TTS API credentials, which are appropriate for Telegram + ElevenLabs functionality. However the registry fails to declare these required env vars. More importantly, the use of load_env.py to load a .env file means any other secrets in that .env (or files under ~/clawd) could be read and sent — requesting access to an entire .env is disproportionate unless limited and documented.
Persistence & Privilege
The skill is not always-enabled and has no installation step. The platform-default autonomous invocation is allowed; by itself this is normal, but combined with the ability to read local files and .env and then send data externally it increases potential blast radius. Consider restricting autonomous invocation or providing a tightly-scoped bot token before enabling.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install telegram-media - 安装完成后,直接呼叫该 Skill 的名称或使用
/telegram-media触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release — enables rich media delivery via Telegram, including charts, voice notes, and files.
- Provides step-by-step bash/python recipes for sending images, documents, and voice notes to Telegram.
- Supports on-demand chart generation for multiple assets and automated chart delivery.
- Integrates ElevenLabs TTS for generating and sending voice clips as Telegram voice messages.
- Enforces critical rule: all commands must be executed for real, never faked.
- Includes clear usage guidance for when and how to use each feature.
元数据
常见问题
Telegram Media 是什么?
Send generated charts, photos, documents, and ElevenLabs TTS voice clips securely through Telegram using executed shell commands. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 716 次。
如何安装 Telegram Media?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install telegram-media」即可一键安装,无需额外配置。
Telegram Media 是免费的吗?
是的,Telegram Media 完全免费(开源免费),可自由下载、安装和使用。
Telegram Media 支持哪些平台?
Telegram Media 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Telegram Media?
由 ryandeangraves(@ryandeangraves)开发并维护,当前版本 v1.0.0。
推荐 Skills