claude-to-im
Facilitates communication between Claude and messaging apps like Telegram and Discord, enabling mobile access to AI interactions.
Install this skill
Security score
The claude-to-im skill was audited on Jun 10, 2026 and we found 30 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Webhook reference - potential data exfiltration
| 10 | Do NOT use for: building standalone bots, webhook integrations, or coding with IM |
Access to hidden dotfiles in home directory
| 26 | User data is stored at `~/.claude-to-im/`. |
Access to hidden dotfiles in home directory
| 28 | The skill directory (SKILL_DIR) is at `~/.claude/skills/claude-to-im`. |
Access to hidden dotfiles in home directory
| 29 | In Codex installs it may instead be `~/.codex/skills/claude-to-im`. |
Access to hidden dotfiles in home directory
| 58 | 2. **Codex / other** — `AskUserQuestion` is NOT available. Fall back to non-interactive guidance: explain the steps, show `SKILL_DIR/config.env.example`, and ask the user to create `~/.claude-to-im/co |
Access to hidden dotfiles in home directory
| 64 | Before running any subcommand other than `setup`, check if `~/.claude-to-im/config.env` exists: |
Access to hidden dotfiles in home directory
| 68 | - In Codex: tell the user "No configuration found. Please create `~/.claude-to-im/config.env` based on the example:" then show the contents of `SKILL_DIR/config.env.example` and stop. Don't attempt to |
Access to hidden dotfiles in home directory
| 111 | 3. The helper writes `~/.claude-to-im/runtime/weixin-login.html` and tries to open it automatically in the local browser. |
Access to hidden dotfiles in home directory
| 114 | - Explain briefly: the linked Weixin account is stored in `~/.claude-to-im/data/weixin-accounts.json`. Running the helper again replaces the previously linked account. |
Access to hidden dotfiles in home directory
| 137 | 3. Use Bash to create directory structure: `mkdir -p ~/.claude-to-im/{data,logs,runtime,data/messages}` |
Access to hidden dotfiles in home directory
| 138 | 4. Use Write to create `~/.claude-to-im/config.env` with all settings in KEY=VALUE format |
Access to hidden dotfiles in home directory
| 139 | 5. Use Bash to set permissions: `chmod 600 ~/.claude-to-im/config.env` |
Access to hidden dotfiles in home directory
| 146 | **Pre-check:** Verify `~/.claude-to-im/config.env` exists (see "Config check" above). Without it, the daemon will crash immediately and leave a stale PID file. |
Access to hidden dotfiles in home directory
| 193 | - For proxy environments, tell users to put `export HTTPS_PROXY=...`, `export HTTP_PROXY=...`, `export ALL_PROXY=...`, and optional `export NO_PROXY=...` directly in `~/.claude-to-im/config.env`. The |
Access to hidden dotfiles in home directory
| 207 | 1. Read current config from `~/.claude-to-im/config.env` |
Access to hidden dotfiles in home directory
| 237 | - Config persists at `~/.claude-to-im/config.env` — survives across sessions. |
Access to .env file
| 58 | 2. **Codex / other** — `AskUserQuestion` is NOT available. Fall back to non-interactive guidance: explain the steps, show `SKILL_DIR/config.env.example`, and ask the user to create `~/.claude-to-im/co |
Access to .env file
| 64 | Before running any subcommand other than `setup`, check if `~/.claude-to-im/config.env` exists: |
Access to .env file
| 68 | - In Codex: tell the user "No configuration found. Please create `~/.claude-to-im/config.env` based on the example:" then show the contents of `SKILL_DIR/config.env.example` and stop. Don't attempt to |
Access to .env file
| 75 | Run an interactive setup wizard. This subcommand requires `AskUserQuestion`. If it is not available (Codex environment), instead show the contents of `SKILL_DIR/config.env.example` with field-by-field |
Access to .env file
| 138 | 4. Use Write to create `~/.claude-to-im/config.env` with all settings in KEY=VALUE format |
Access to .env file
| 139 | 5. Use Bash to set permissions: `chmod 600 ~/.claude-to-im/config.env` |
Access to .env file
| 146 | **Pre-check:** Verify `~/.claude-to-im/config.env` exists (see "Config check" above). Without it, the daemon will crash immediately and leave a stale PID file. |
Access to .env file
| 193 | - For proxy environments, tell users to put `export HTTPS_PROXY=...`, `export HTTP_PROXY=...`, `export ALL_PROXY=...`, and optional `export NO_PROXY=...` directly in `~/.claude-to-im/config.env`. The |
Access to .env file
| 203 | **⚠️ Claude resume limitations (v1):** The resumed Claude session in the bridge does NOT inherit: `--settings`, `--permission-mode`, sandbox flags, or extra allowed directories (`--add-dir`) from the |
Access to .env file
| 207 | 1. Read current config from `~/.claude-to-im/config.env` |
Access to .env file
| 235 | - Always check for config.env before starting the daemon — without it the process crashes on startup and leaves a stale PID file that blocks future starts (requiring manual cleanup). |
Access to .env file
| 237 | - Config persists at `~/.claude-to-im/config.env` — survives across sessions. |
External URL reference
| 51 | Before asking users for any platform credentials, read `SKILL_DIR/references/setup-guides.md` internally so you know where to find each credential. Do NOT dump the full guide to the user upfront — onl |
External URL reference
| 103 | - Tell the user: these two values can be found at https://q.qq.com/qqbot/openclaw |