The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill includes hardcoded Telegram API credentials (API_ID 18256514 and API_HASH "4b812166a74fbd4eaadf5c4c1c855926") in several Python code examples. These credentials grant access to the Telegram service and should be managed securely via environment variables rather than embedded directly in the skill file.
[PROMPT_INJECTION]: The "Self-Evolving Skill" section contains instructions for the agent to "fix this file immediately" when issues are encountered. This promotes self-modification of the skill's instructions, which can be manipulated to override safety protocols or alter agent behavior persistently.
[EXTERNAL_DOWNLOADS]: The skill utilizes uv run --with telethon, which automatically downloads the telethon library from external registries at runtime. This introduces a supply chain risk as the dependency is not pinned to a specific version or verified for integrity.
[COMMAND_EXECUTION]: The skill uses the Bash tool to execute Python code that includes user-provided message content. This content is interpolated into script variables without sufficient escaping, potentially allowing for code injection if the input contains characters that break the Python string or heredoc structure (e.g., the PYEOF delimiter).
[DATA_EXFILTRATION]: The skill reads from the user's Telegram session file (~/.local/share/telethon/eon). Combined with its ability to communicate with the Telegram API, this creates a risk of sensitive session data exposure.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its handling of external message data.
Ingestion points: The message parameter in the draft command.
Boundary markers: None are utilized to separate instructions from data.
Capability inventory: Uses Bash to execute network-active Python code.
Sanitization: No escaping or validation is performed on the message content before processing.

draft-message