← 返回 Skills 市场
680
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install telegrambot
功能描述
Manage and secure local high-privilege storage serving workflows. Use when creating, starting, stopping, or hardening a full-drive file server and related op...
安全使用建议
Do not install or run this skill without verification. Specific points to consider:
- Metadata/name mismatch: the package is labeled as a Telegram-related skill but contains a 'God Mode Manager' file server — ask the publisher for clarification or source provenance.
- Hidden env vars: the bundle expects GOD_MODE_TOKEN and other env vars even though the registry declares none — set a strong token and verify the skill will not run without it.
- Dangerous defaults: the default root is C:\ (full system drive). If you must run this, change GOD_MODE_ROOT to a minimal directory and ensure GOD_MODE_HOST is 127.0.0.1 and token auth is enabled.
- Least privilege: do not run as an elevated user; run inside an isolated environment (sandbox, VM, container) for testing and audit which files are served.
- Audit the code: review scripts/server.cjs (provided) and test in a safe environment before exposing any network binding. If you don't trust the source or cannot verify the author, do not run it on production or sensitive hosts.
If the publisher can explain the naming/metadata discrepancy and update the registry to declare the required env vars and safer defaults, the risk would be reduced.
功能分析
Type: OpenClaw Skill
Name: telegrambot
Version: 1.0.0
This skill is classified as suspicious due to its extremely broad default scope and a significant vulnerability in token handling. The `scripts/server.cjs` file, as described in `SKILL.md`, defaults to exposing the entire `C:\` drive via an HTTP server. While authentication and path traversal checks are implemented, the server allows the access token to be passed in URL query parameters, which can lead to token leakage in server logs and browser history (`scripts/server.cjs`, `assets/index.html`). This vulnerability, combined with the 'god-mode' level of access, poses a high risk if the token is compromised, allowing unauthorized read access to the entire system drive.
能力评估
Purpose & Capability
The skill's published name/slug (Telegram-Bot-managerj / telegrambot) and the short description in the registry do not match the included files, which implement a 'God Mode Manager' local file server. That mismatch is a red flag: either the metadata is incorrect or the package was repurposed/mislabelled. The actual capability (serving the system root, listing and returning files) is plausible for a 'local storage manager' but is unexpected given the registry name.
Instruction Scope
SKILL.md and the runtime script are consistent with each other: the instructions tell the agent to run node scripts/server.cjs and to bind and require a token. The server implements listing, reading (with a small-size read endpoint) and full downloads under a configured ROOT. That behavior matches the stated operational purpose (manage/harden local storage), but the default ROOT is the system drive (C:\) and the README relies on operator discipline (bind to loopback, require token). This grants broad access to sensitive files if misconfigured.
Install Mechanism
There is no install script or external download; the skill is instruction-only plus included code files. Nothing is pulled from external URLs or installed automatically, which minimizes supply-chain risk. The code is plain JS included in the bundle.
Credentials
The registry metadata lists no required environment variables or primary credential, yet the code and SKILL.md rely on several environment variables (GOD_MODE_ROOT, GOD_MODE_HOST, GOD_MODE_PORT, GOD_MODE_TOKEN, GOD_MODE_TOKEN_REQUIRED, GOD_MODE_MAX_READ_BYTES). In particular GOD_MODE_TOKEN is required by default (the process will exit if missing). The absence of declared required env vars in metadata is an inconsistency that hides the need for a secret token and the risk of exposing sensitive data if defaults are used.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system settings. However, running it gives the process access to the configured root (default: entire system drive). That is a high-privilege capability at runtime — dangerous if started unintentionally or with inadequate authentication/binding.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install telegrambot - 安装完成后,直接呼叫该 Skill 的名称或使用
/telegrambot触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of god-mode-manager skill.
- Provides management and security tools for local high-privilege storage workflows.
- Supports starting, stopping, and hardening a full-drive file server.
- Includes operational controls such as root path restriction, port configuration, and mandatory token-based authentication.
- Emphasizes local-only server binding, protection against path traversal, and JSON output for automation.
元数据
常见问题
Telegram-Bot-managerj 是什么?
Manage and secure local high-privilege storage serving workflows. Use when creating, starting, stopping, or hardening a full-drive file server and related op... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 680 次。
如何安装 Telegram-Bot-managerj?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install telegrambot」即可一键安装,无需额外配置。
Telegram-Bot-managerj 是免费的吗?
是的,Telegram-Bot-managerj 完全免费(开源免费),可自由下载、安装和使用。
Telegram-Bot-managerj 支持哪些平台?
Telegram-Bot-managerj 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Telegram-Bot-managerj?
由 manlight(@manlight87)开发并维护,当前版本 v1.0.0。
推荐 Skills