The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection because it relies on processing untrusted external data. Ingestion points: Untrusted data is ingested via python scripts/contacts.py import which pulls chat names and history from the Telegram API, as well as via natural language user prompts. Boundary markers: There are no boundary markers or delimiters specified to isolate untrusted user data from the instructions provided to the agent. Capability inventory: The skill possesses the capability to execute shell commands via subprocess and perform network operations via the Telegram API (e.g., send_message.py). Sanitization: While a general note suggests validating inputs, the operational instructions (e.g., mapping "Message [Name]" to send_message.py --to "[Name]") explicitly encourage direct interpolation of untrusted strings into CLI arguments without sanitization, facilitating argument injection.
[Credentials Unsafe] (MEDIUM): The skill relies on a TELEGRAM_BOT_TOKEN stored in a .env file. Although it mentions security best practices like not committing the file, the agent's involvement in initializing and managing these secrets increases the surface area for accidental credential exposure.
[Command Execution] (LOW): The skill's architecture is based on the execution of multiple local Python scripts. This reliance on shell execution for core functionality amplifies the impact of any successful prompt or argument injection vulnerability.

telegram-bot-agent