The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The installation guide in references/installation.md promotes executing remote scripts directly from an unverified domain kurier.sh using shell piping (curl ... | bash, irm ... | iex). This practice bypasses standard package verification and allows for the execution of arbitrary code during the setup process.
[COMMAND_EXECUTION]: The skill provides an agent-telegram eval command that executes arbitrary JavaScript. According to the documentation, this environment has access to the file system (fs and path modules) and the TDLib client. This represents a high risk if an agent constructs or executes scripts based on untrusted inputs from the user or Telegram messages.
[DATA_EXFILTRATION]: The skill possesses extensive capabilities to read, search, and forward private Telegram messages and media. In an adversarial scenario, these tools could be manipulated to extract sensitive user communications or credentials stored in Telegram messages.
[PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection due to its interaction with untrusted Telegram content combined with its powerful command set.
Ingestion points: Untrusted data enters the agent context through msg list, msg search, msg get, and listen commands in SKILL.md.
Boundary markers: While the documentation specifies that content is isolated in JSON fields (content.text), there are no security boundaries or instructions to the agent to disregard embedded commands within those strings.
Capability inventory: The skill has broad capabilities including sending messages, deleting/forwarding history, and executing JavaScript via eval.
Sanitization: There is no evidence of programmatic sanitization, validation, or escaping of the content retrieved from the Telegram API before it is processed by the agent.

agent-telegram