What this is
This guide explains the safety features that isolate your local computer from public internet access while using Telegram.
Why it matters
Because your assistant runs locally on your computer and has access to your system, keeping your bot private is essential to protect your machine and your data.
🔑 Bot Token Privacy
Your Telegram Bot Token acts as the username and password for your bot account.
Important Safety Rule
Keep your bot token private. Access should be limited to your allowed Telegram user ID. Do not share your private bot publicly.
If someone gets hold of your Bot Token, they can read your messages, impersonate your bot, and attempt to send commands directly to your local computer. Never share this token or include it in screenshots, public forums, or ZIP files.
🛡️ Allowed User ID Whitelist
By default, anyone on Telegram can search for your bot's username and attempt to start a chat. To prevent unauthorized access, TutorClaw uses a strict **User ID whitelist**:
- During first-run setup, TutorClaw registers your unique, numeric **Telegram User ID** in its configuration.
- TutorClaw checks every incoming message. If the sender's ID does not match your whitelisted User ID, the message is immediately blocked and ignored.
- Even if someone discovers your bot's username, they cannot run commands or get responses.
🚫 Do Not Share Your Bot Publicly
- Keep it private: Do not post your bot's username or link on public social media, GitHub, or public channels.
- Single-user design: Your bot is intended to be a private tutor channel for you alone. Keeping it unpublicized adds a strong layer of safety.
- Check your logs: You can look at the TutorClaw console window on your computer to verify that only your authorized User ID is active.
Use Chat as the Lab
Open the chat window in your browser (the lab) and test these questions:
Is my Telegram connection safe?How does the whitelist filter unauthorized users?