add-telegram

The skill purpose is coherent: it adds Telegram channel support and provides an end-to-end setup flow. However, the integration relies on merging code from an external GitHub repository, introducing a transitive trust boundary and supply-chain risk that is not mitigated by a trusted registry provenance. The credential handling (Telegram bot token) is standard, but token exposure risk exists if logs or insecure file permissions are present. Data flows to Telegram APIs are appropriate for the stated purpose. Overall risk is elevated primarily due to the external code merge (transitive install) and potential for hidden behaviors within the injected Telegram integration. Recommend tightening supply-chain practices (pin to a verified fork, include checksums, or vendor-signed code), and ensure strict secret handling and access controls.