telegram

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to ingest and act on arbitrary user-generated Telegram content — e.g., Message.text and CallbackQuery.data handlers (references/aiogram-patterns.md), InlineQuery handling (references/inline-mode.md), and Mini App / Login Widget initData (references/mini-apps.md and references/authentication.md) — which the bot reads and uses to drive behavior and tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The Mini Apps and Login Widget examples instruct embedding remote JavaScript that is fetched and executed at runtime—specifically https://telegram.org/js/telegram-web-app.js and https://telegram.org/js/telegram-widget.js?22—making those external URLs runtime dependencies that execute remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes a "Payments (Stars/subscriptions)" capability and a payments.md reference. Telegram's Bot API and Stars/subscription features are specific payment mechanisms (invoices, provider integrations, in-app payments) rather than a generic tool. Because this is a concrete, payment-focused capability that can be used to accept/process money, it meets the criteria for Direct Financial Execution.