find-user
Fail
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill's preflight check and execution script access sensitive Telegram session data located at
~/.local/share/telethon/<profile>.session. These files contain authentication tokens and private session information that could be harvested. - [PROMPT_INJECTION]: The skill features 'Self-Evolving Skill' and 'Post-Execution Reflection' instructions that command the agent to 'fix this file immediately' and update instructions based on tool output. This pattern of self-modification can be exploited to persist malicious instructions or behavior changes if the agent is tricked by external input.
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to execute a Python script (tg-cli.py) via theuvpackage manager. While the script is located in the plugin directory, this execution path provides a vector for running arbitrary commands within the agent's environment. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes data from external Telegram profiles.
- Ingestion points: Telegram user and channel profile data fetched via the
tg-cli.pytool. - Boundary markers: Absent; the skill does not use delimiters or instructions to ignore embedded commands in the profile data.
- Capability inventory: The skill has access to shell execution (
Bash), file reading (Read), and file searching (Grep,Glob). - Sanitization: Absent; there is no validation or escaping of the content retrieved from Telegram before it is processed by the agent.
- [DATA_EXFILTRATION]: The skill is designed to retrieve and display potentially private information such as phone numbers and user IDs from the Telegram network.
Recommendations
- AI detected serious security threats
Audit Metadata