The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill instructs the agent to access and utilize Telegram session files located at ~/.local/share/telethon/<profile>.session. These files contain sensitive authentication tokens that allow full access to a user's Telegram account. Exposure of these paths increases the risk of credential theft.
[PROMPT_INJECTION]: The skill contains 'Self-Evolving' and 'Post-Execution Reflection' instructions that command the agent to 'fix this file immediately' (SKILL.md) if errors occur. This meta-instruction creates a mechanism for an attacker to manipulate the agent into writing malicious instructions or code into the skill's definition, leading to permanent modification of agent behavior.
[COMMAND_EXECUTION]: The skill executes a Python CLI tool (tg-cli.py) using uv run within a Bash block. The script path is dynamically determined using environment variables like $CLAUDE_PLUGIN_ROOT, which could lead to execution of unintended files if the environment is compromised.
[DATA_EXFILTRATION]: By design, the skill reads entire chat histories and media files. While the stated goal is local archival, the combination of access to session tokens and a broad file-read capability creates a significant data exposure surface.
[INDIRECT_PROMPT_INJECTION]: The skill processes untrusted external data (Telegram messages) and provides instructions for the agent to 'reflect' and update the skill based on execution results. If a malicious Telegram message is processed and causes an execution error, the agent might incorporate content from that message into the skill's source code during the 'fix' phase.

dump-channel