telegram-readonly

The documentation describes a read-only wrapper around a high-privilege Telegram session. The main security concerns are improper protection of the API credentials and the locally stored session string in config.json. While the wrapper limits exposed actions, the persisted session string and config file permissions are the primary risk vectors. To improve security, enforce strict file permissions, consider optional encryption or secure storage for the session string, and adopt explicit access controls and auditing for the credentials path. Supply-chain risk remains moderate due to reliance on Telethon and local credential handling; ensure repository code path cannot silently elevate to write actions.