Skills
skills/terrylica/cc-skills/send-message/Gen Agent Trust Hub

send-message

Fail

Audited by Gen Agent Trust Hub on Apr 20, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill hardcodes Telegram application credentials directly within the SKILL.md file. This includes an API_ID (18256514) and an API_HASH ("4b812166a74fbd4eaadf5c4c1c855926"). Exposing these secrets allows for potential application impersonation.
  • [DATA_EXFILTRATION]: The skill instructions direct the agent to access sensitive authentication files stored at ~/.local/share/telethon/eon. These session files contain the tokens required for full authorization into a personal Telegram account via MTProto, posing a significant privacy and security risk if accessed or handled improperly.
  • [COMMAND_EXECUTION]: The skill uses uv run to execute shell commands and dynamically generated Python scripts containing user-controlled variables (such as usernames and message content). The use of heredocs (<< 'PYEOF') without explicit sanitization or escaping of the interpolated user data creates a high risk for command and code injection.
  • [EXTERNAL_DOWNLOADS]: The skill fetches the telethon library from the official Python Package Index (PyPI) at runtime using the uv run --with telethon command.
  • [PROMPT_INJECTION]: The "Self-Evolving Skill" section explicitly instructs the agent to modify the skill's own source code (SKILL.md) based on runtime behavior or needed workarounds. This creates a persistent instruction poisoning vector where an attacker could influence the agent to permanently alter the skill's logic.
  • [PROMPT_INJECTION]: An indirect prompt injection surface exists where untrusted data is processed by highly capable tools.
  • Ingestion points: User-provided message content, usernames, and file paths enter the context via script arguments.
  • Boundary markers: No delimiters or safety warnings are used to isolate user data from executable code or agent instructions.
  • Capability inventory: The skill has access to shell execution, network communication via Telegram's MTProto, and sensitive local file system paths.
  • Sanitization: No validation, escaping, or filtering of user input is performed before it is embedded into the executed scripts.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 20, 2026, 09:36 AM