tgcli

SUSPICIOUS. The skill is mostly coherent with its stated Telegram-management purpose and routes data to Telegram rather than a third-party proxy, but it installs a personal-account messaging CLI from a personal GitHub module using mutable @latest and grants the agent the ability to send messages/files as the user. This is not confirmed malware, but it carries meaningful supply-chain, credential-handling, and real-world action risk.