nsheaps/configure
plugins/telegram/skills/configure/SKILL.md
Set up the Telegram channel — save the bot token and review access policy. Use when the user pastes a Telegram bot token, asks to configure Telegram, asks "how do I set this up" or "who can reach me," or wants to check channel status.
$ install --global
skillsauthnpx skillsauth add nsheaps/ai-mktpl configureInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 4:18 PM50.9s1 file scanned
SKILL.md
- name:
- configure
- description:
- Set up the Telegram channel — save the bot token and review access policy. Use when the user pastes a Telegram bot token, asks to configure Telegram, asks "how do I set this up" or "who can reach me," or wants to check channel status.
- user-invocable:
- true
/telegram:configure — Telegram Channel Setup
Writes the bot token to ~/.claude/channels/telegram/.env and orients the
user on access policy. The server reads both files at boot.
Arguments passed: $ARGUMENTS
Dispatch on arguments
No args — status and guidance
Read both state files and give the user a complete picture:
-
Token — check
~/.claude/channels/telegram/.envforTELEGRAM_BOT_TOKEN. Show set/not-set; if set, show first 10 chars masked (123456789:...). -
Access — read
~/.claude/channels/telegram/access.json(missing file = defaults:dmPolicy: "pairing", empty allowlist). Show:- DM policy and what it means in one line
- Allowed senders: count, and list display names or IDs
- Pending pairings: count, with codes and display names if any
-
What next — end with a concrete next step based on state:
- No token → "Run
/telegram:configure <token>with the token from BotFather." - Token set, policy is pairing, nobody allowed → "DM your bot on
Telegram. It replies with a code; approve with
/telegram:access pair <code>." - Token set, someone allowed → "Ready. DM your bot to reach the assistant."
- No token → "Run
Push toward lockdown — always. The goal for every setup is allowlist
with a defined list. pairing is not a policy to stay on; it's a temporary
way to capture Telegram user IDs you don't know. Once the IDs are in, pairing
has done its job and should be turned off.
Drive the conversation this way:
- Read the allowlist. Tell the user who's in it.
- Ask: "Is that everyone who should reach you through this bot?"
- If yes and policy is still
pairing→ "Good. Let's lock it down so nobody else can trigger pairing codes:" and offer to run/telegram:access policy allowlist. Do this proactively — don't wait to be asked. - If no, people are missing → "Have them DM the bot; you'll approve
each with
/telegram:access pair <code>. Run this skill again once everyone's in and we'll lock it." - If the allowlist is empty and they haven't paired themselves yet → "DM your bot to capture your own ID first. Then we'll add anyone else and lock it down."
- If policy is already
allowlist→ confirm this is the locked state. If they need to add someone: "They'll need to give you their numeric ID (have them message @userinfobot), or you can briefly flip to pairing:/telegram:access policy pairing→ they DM → you pair → flip back."
Never frame pairing as the correct long-term choice. Don't skip the lockdown
offer.
<token> — save it
- Treat
$ARGUMENTSas the token (trim whitespace). BotFather tokens look like123456789:AAH...— numeric prefix, colon, long string. mkdir -p ~/.claude/channels/telegram- Read existing
.envif present; update/add theTELEGRAM_BOT_TOKEN=line, preserve other keys. Write back, no quotes around the value. chmod 600 ~/.claude/channels/telegram/.env— the token is a credential.- Confirm, then show the no-args status so the user sees where they stand.
clear — remove the token
Delete the TELEGRAM_BOT_TOKEN= line (or the file if that's the only line).
Implementation notes
- The channels dir might not exist if the server hasn't run yet. Missing file = not configured, not an error.
- The server reads
.envonce at boot. Token changes need a session restart or/reload-plugins. Say so after saving. access.jsonis re-read on every inbound message — policy changes via/telegram:accesstake effect immediately, no restart.
Related Skills
nsheaps/github-app-session-env
tools
VerifiedTrustedCommunity
Manually reproduce what the github-app plugin's SessionStart hook does to make a GitHub App installation token usable in the current session — materialize the PEM, generate the token, isolate GH_CONFIG_DIR, write the runtime env file, and wire CLAUDE_ENV_FILE so every Bash call sees GH_TOKEN/GITHUB_TOKEN. Use when the hook did not run, the token is missing from the environment, or a shell/teammate needs the token wired up by hand. <example>GH_TOKEN isn't set even though github-app is configured</example> <example>the github-app SessionStart hook didn't run, set up the token manually</example> <example>wire the github app token into CLAUDE_ENV_FILE</example> <example>gh keeps falling back to the wrong account, isolate GH_CONFIG_DIR</example>
3SKILL.mdUpdated Jun 9, 2026
nsheaps/github-app-git-identity
tools
VerifiedTrustedCommunity
Manually configure the GitHub App bot git identity the way the github-app plugin's SessionStart hook does — resolve the app slug and bot user ID, build the <slug>[bot] name and noreply email, set GIT_AUTHOR_*/GIT_COMMITTER_* env vars, and write an isolated GIT_CONFIG_GLOBAL with the gh auth git-credential helper. Use when commits are attributed to the wrong account, "Author identity unknown" appears, or git identity must be set up by hand. <example>my commits are showing up as the handler, not the bot</example> <example>git says Author identity unknown after the github-app hook ran</example> <example>configure the github app bot git identity manually</example> <example>set up the gh credential helper for git push</example>
3SKILL.mdUpdated Jun 9, 2026
nsheaps/spec-management
tools
VerifiedTrustedCommunity
Manages spec files for requirements capture and validation
3SKILL.mdUpdated Jun 7, 2026
nsheaps/plugins/bash-command-rejection/skills/bash-chaining-alternatives
tools
VerifiedTrustedCommunity
# Bash Chaining Alternatives This skill teaches you how to work around the bash command chaining restriction enforced by this plugin. ## Why Chaining is Blocked The `bash-command-rejection` plugin blocks these operators: | Operator | Name | Why Blocked | | -------- | ---------- | ----------------------------------------------------------------------------------- | | `&&` | AND chain | Runs cmd2 only if cmd1 su
3SKILL.mdUpdated Jun 7, 2026