sergei-mikhailov-tg-channel-reader
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive information including Telegram API credentials (TG_API_ID, TG_API_HASH) and MTProto session files (.session). These files grant full access to the user's Telegram account. The code in reader.py and reader_telethon.py reads these credentials from environment variables or a local configuration file (~/.tg-reader.json). This behavior is necessary for the skill's primary purpose but represents a data exposure surface.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves and processes untrusted text from Telegram channels.
- Ingestion points: Untrusted data is ingested in reader.py (via get_chat_history) and reader_telethon.py (via iter_messages).
- Boundary markers: The skill does not use specific delimiters or instructions to the agent to ignore potential commands within the fetched messages.
- Capability inventory: The skill can fetch message history and channel metadata, and write results to local files. The agent's broader capabilities could be exploited if it follows instructions found in the Telegram content.
- Sanitization: There is no sanitization or filtering of the fetched message text to remove or neutralize potentially malicious prompt injection strings.
- [EXTERNAL_DOWNLOADS]: The skill uses setup-tg-reader.sh and setup.py to install standard, well-known Python libraries (pyrogram, telethon, tgcrypto) from the official PyPI registry.
Audit Metadata