telegram-sync
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted data from Telegram messages and saves it in an 'LLM-friendly' format specifically intended for agent analysis. This creates a high-risk surface for indirect prompt injection.
- Ingestion points: Data enters from Telegram API via
telegram_sync.pyand is written to local Markdown files (e.g.,data/{group_id}/messages.md). - Boundary markers: Absent. The described message format lacks delimiters or instructions to ignore embedded commands within message bodies.
- Capability inventory: While this skill primarily performs write operations, it is designed to be used with
telegram-read. If the agent possesses further capabilities (e.g., shell access or file modification), messages from Telegram could trigger those actions. - Sanitization: No mention of sanitization, filtering, or escaping of message content.
- Data Exposure (HIGH): The skill targets highly sensitive personal information, including Direct Messages (DMs), which are synced by default. This exposes private communications to the agent's environment, increasing the risk of data leakage if the agent is subsequently compromised.
- Command Execution (LOW): The skill requires the execution of multiple Python scripts (
telegram_sync.py,telegram_list.py,telegram_init.py) via the command line. While legitimate for the skill's function, it represents the primary mechanism for the sensitive data access.
Recommendations
- AI detected serious security threats
Audit Metadata