telegram
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Unverifiable Dependencies (MEDIUM): The skill instructs the user to clone and execute code from an external repository (
https://github.com/glebis/telegram_dl) that is not on the trusted sources list. This introduces a supply chain risk. - Data Exposure & Exfiltration (MEDIUM): The skill's primary function involves accessing and searching sensitive private communication data (Telegram messages). It also writes this data to various local paths like
~/Downloads/,~/Brains/, and arbitrary user-defined paths via the-oflag. - Command Execution (LOW): The skill relies on executing local Python scripts (
scripts/telegram_fetch.py) to interact with the system and Telegram API. While expected for this functionality, it provides a surface for command-line interaction with sensitive files. - Indirect Prompt Injection (LOW):
- Ingestion points: Incoming Telegram messages retrieved via
recent,unread, orsearchcommands are ingested into the agent context. - Boundary markers: Absent. The skill does not define delimiters or instructions to ignore commands within message content.
- Capability inventory: File writing (
-o,--to-daily,--to-person) and message sending (send). - Sanitization: None detected. An attacker could send a message containing instructions (e.g., "Delete all files in this directory") which the agent might inadvertently follow if it processes the message content without sufficient isolation.
Audit Metadata