Skills
skills/gmotyl/afk-claude-telegram-bridge-skill/afk-claude-telegram-bridge/Gen Agent Trust Hub

afk-claude-telegram-bridge

Fail

Audited by Gen Agent Trust Hub on Mar 12, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The installation instructions in README.md and SKILL.md encourage users to execute a remote script via curl -fsSL https://raw.githubusercontent.com/gmotyl/afk-claude-telegram-bridge/main/install.sh | bash. Piping remote scripts directly to a shell from a personal repository is a high-risk pattern that can be exploited if the source account or repository is compromised.
  • [CREDENTIALS_UNSAFE]: The skill requests a Telegram bot token during installation and stores it in plain text within ~/.claude/hooks/telegram-bridge/config.json. This token grants full control over the bot and is exposed to any process or user with read access to the local filesystem.
  • [COMMAND_EXECUTION]: The bridge implements a 'Session Trust' mechanism in src/bridge/daemon.ts. Once a session is marked as 'trusted' via a Telegram callback, all subsequent tool execution requests (including destructive tools like Bash, Write, and Edit) are automatically approved without requiring user confirmation via the Telegram interface. This allows for arbitrary command execution on the host machine if the Telegram group or bot is accessed by an unauthorized party.
  • [INDIRECT_PROMPT_INJECTION]: The skill has a large attack surface for indirect prompt injection (Category 8):
  • Ingestion points: Telegram messages are polled in src/services/telegram-poller.ts and processed in src/bridge/daemon.ts.
  • Boundary markers: None. Telegram message text is passed directly back to the agent context.
  • Capability inventory: The skill can inject instructions into the Stop hook via the instruction response field in src/hook/stop.ts.
  • Sanitization: None. Only Telegram bot mentions are stripped via stripBotMention in src/bridge/daemon.ts before the content is forwarded to Claude as an instruction.
  • [COMMAND_EXECUTION]: The installation script install.sh modifies the user's ~/.claude/settings.json to register shell command hooks (hook.sh), which can lead to persistent execution of arbitrary code whenever the agent runs.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/gmotyl/afk-claude-telegram-bridge/main/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 12, 2026, 04:54 PM