telegram-readonly

Report 1 is the strongest among the three for outlining data flows and credential risks. The main concerns are the local storage of a high-privilege StringSession and the necessary MTProto authentication; no concrete malware indicators are present in the fragment, but the credential handling represents a notable supply-chain and operational risk. A full code-level review of scripts/telegram_readonly.py, the CLI entry points, and SKILL.md is required to definitively assess potential risks beyond this fragment.

The documentation describes a read-only wrapper around a high-privilege Telegram session. The main security concerns are improper protection of the API credentials and the locally stored session string in config.json. While the wrapper limits exposed actions, the persisted session string and config file permissions are the primary risk vectors. To improve security, enforce strict file permissions, consider optional encryption or secure storage for the session string, and adopt explicit access controls and auditing for the credentials path. Supply-chain risk remains moderate due to reliance on Telethon and local credential handling; ensure repository code path cannot silently elevate to write actions.