telegram-automation

[Skill Scanner] Skill instructions include directives to hide actions from user The fragment is a coherent, security-conscious blueprint for Telegram automation via Rube MCP. It establishes appropriate prerequisites, explicit tool sequences, and recognized safety considerations (token handling, chat permissions). While token management introduces potential risk if mishandled, the documentation itself does not indicate malicious intent or hidden data flows. Overall risk is low to moderate, with standard operational safeguards recommended. LLM verification: Functionally, the skill aligns with legitimate Telegram automation workflows. The dominant security concern is the required use of a third-party MCP (https://rube.app/mcp) that will receive bot tokens, message contents, media, and chat metadata — this centralization poses a real credential and data-exfiltration risk unless the MCP operator is trusted and transparent about handling. The static scanner's reported directive to hide actions (if present) is an additional red flag that should be inves