telegram-human-loop
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- Indirect Prompt Injection (HIGH): The skill implements a 'Human-in-the-Loop' pattern that ingests untrusted external data which can influence agent behavior.
- Ingestion points: Data enters the agent context via the
getUpdatesaction from the Telegram Bot API. - Boundary markers: No boundary markers or delimiters are defined to separate external messages from agent instructions.
- Capability inventory: The skill executes shell commands (
mkdir,cat,chmod) and facilitates external network requests. The consuming agent likely possesses broader system capabilities. - Sanitization: There is no evidence of sanitization or validation of the text received from Telegram before the agent is told to 'proceed based on the reply'.
- Credentials Unsafe (MEDIUM): The skill manages sensitive Telegram bot tokens and chat IDs by storing them in plain text at
~/.claude/telegram.json. While it attempts to set file permissions (chmod 600), the agent itself is instructed to read this file, making the credentials accessible to any subsequent prompt injection attack. - Command Execution (LOW): The skill uses shell commands (
mkdir,cat,chmod) to manage its configuration. While these are used for setup, they represent a capability that can be abused if the agent's logic is subverted. - Data Exfiltration (LOW): The skill transmits information to
api.telegram.org. While this is the intended functionality, it establishes a permanent outbound channel that could be used to exfiltrate sensitive data if the agent is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata