afk-claude-telegram-bridge

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The installer and setup flow explicitly prompt for and store a Telegram bot token (bot token/chat_id in config.json), which requires accepting and embedding the secret verbatim into configuration/commands, creating an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These URLs point to a personal GitHub repo and a raw install.sh meant to be run via "curl | bash" and which downloads pre-built binaries from the repo—an untrusted executable installer from a personal account is high-risk because it can silently install malicious code.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This code intentionally implements remote control over Claude Code via Telegram — including remote approval of Bash/tool calls, auto-approve/trust features, queued instruction injection, and filesystem IPC — which creates a high-risk backdoor-like capability (remote code execution and data exfiltration) if the Telegram bot, group, or installer supply chain is compromised or misconfigured.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's daemon (bridge.js) polls and ingests Telegram group messages (user-generated third-party content) and routes them into Claude via the IPC/Stop-hook flow—e.g., README.md / SKILL.md and CLAUDE.md describe "Reply with text to send Claude a new instruction" and the bridge daemon that reads Telegram and writes responses—so untrusted Telegram content can directly influence tool approvals and agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill’s recommended installer fetches and executes remote code (curl -fsSL https://raw.githubusercontent.com/gmotyl/afk-claude-telegram-bridge/main/install.sh | bash) and the README also instructs cloning and running the repo (git clone https://github.com/gmotyl/afk-claude-telegram-bridge.git followed by npm install && npm run deploy), which are clear instances of fetching external code that will be executed as part of setup/installation.