telegram-bot-builder
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [SAFE] (SAFE): The skill follows development best practices for Telegram bots. The code snippets provided are boilerplate examples for bot initialization, command handling, and UI components.
- [CREDENTIALS_SAFE] (SAFE): The code uses
process.env.BOT_TOKENandprocess.env.PAYMENT_TOKENinstead of hardcoding secrets, which is a required security practice for avoiding credential exposure. - [EXTERNAL_DOWNLOADS] (SAFE): The skill references reputable and widely-used libraries (telegraf, grammY, aiogram). No suspicious external URLs or untrusted dependency sources are present.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill describes a bot that processes user text (
bot.on('text')). This is a standard surface for indirect prompt injection if the data were passed to an LLM, but this skill focuses on basic bot API interactions rather than LLM orchestration. - Ingestion points:
ctx.message.textin text handlers. - Boundary markers: None (standard bot boilerplate).
- Capability inventory: Telegram API calls (reply, invoice, keyboards).
- Sanitization: Not explicitly implemented in the basic templates, but typical for this use case.
Audit Metadata