telegram-automation

This SKILL.md is functionally coherent: capabilities match the stated purpose of automating Telegram via a Telegram bot. The primary security concern is that it centralizes execution and credential handling through a third-party MCP (https://rube.app/mcp). That requires trusting the MCP with the Telegram Bot Token and message/media payloads. The skill dynamically loads tool schemas from the MCP, increasing the potential attack surface (remote behavior/control). There is no embedded malicious code in this document itself, but the credential-forwarding and reliance on an external managed service without documented protections create a meaningful supply-chain and credential-exfiltration risk. Recommend treating this as potentially vulnerable: only use with a vetted/trusted MCP, verify how tokens are stored/used, and prefer direct, auditable integrations to Telegram when possible.