gramio
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides legitimate documentation, examples, and scaffolding instructions for the GramIO framework. No malicious patterns, obfuscation, or unauthorized data access attempts were detected.
- [EXTERNAL_DOWNLOADS]: The skill refers to the installation of official framework packages (e.g.,
gramio,@gramio/session,@gramio/types) from the npm registry. It also provides instructions for project scaffolding using standard commands such asnpm create gramio, which are legitimate tools provided by the framework author. - [COMMAND_EXECUTION]: The documentation includes standard development commands for initializing projects, running development servers (
bun run dev), and managing Docker containers (docker-compose up). These commands are appropriate for the skill's primary purpose. - [REMOTE_CODE_EXECUTION]: The
autoloadplugin facilitates the dynamic loading of handler files from a local directory. This is a standard architectural feature for modular bot development and does not involve executing untrusted remote code. - [DATA_EXPOSURE]: The skill correctly demonstrates best practices for credential management by advising the use of environment variables (e.g.,
process.env.BOT_TOKEN) for Telegram API tokens rather than hardcoding them. - [INDIRECT_PROMPT_INJECTION]: As a bot framework, GramIO is designed to process untrusted data from the Telegram API. The framework promotes the use of a custom formatting system (
formattemplate literals) that generatesMessageEntityobjects instead of usingparse_mode. This design choice inherently reduces the risk of traditional markup-based injection attacks compared to raw HTML or Markdown parsing.
Audit Metadata