gramio-pick-username
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The agent is instructed to execute a bundled Node.js script (check-usernames.mjs) to verify username availability. This script is transparent, contains no external dependencies, and is used for its intended purpose.
- [DATA_EXFILTRATION]: Performs network requests to t.me (Telegram's well-known domain) to scrape public metadata. No sensitive user information or environment variables are transmitted during these checks.
- [SAFE]: The skill processes external HTML data from Telegram profile pages, creating an indirect prompt injection surface. The risk is minimized as follows:
- Ingestion points: Data is sourced from public t.me URLs.
- Boundary markers: The utility returns structured JSON, providing a clear boundary between external data and the agent's context.
- Capability inventory: Uses Bash for local script execution with standard permissions.
- Sanitization: The scraping logic uses specific regular expressions to extract only the necessary metadata (buttons and titles), filtering out irrelevant or potentially malicious page content.
Audit Metadata