telegram
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No security issues detected. The skill performs its stated function of interacting with the Telegram Bot API using standard system utilities and secure credential management.
- [COMMAND_EXECUTION]: Employs curl and jq for API interaction and response parsing, which are standard utilities for this type of skill. No arbitrary or high-risk commands are executed.
- [DATA_EXFILTRATION]: Performs network requests to api.telegram.org. This is a well-known service and the communication is essential for the skill's intended purpose.
- [CREDENTIALS_UNSAFE]: Secrets are managed through the TELEGRAM_BOT_TOKEN environment variable, ensuring that no sensitive credentials are hardcoded in the skill body.
- [PROMPT_INJECTION]: The skill retrieves external message content via the getUpdates method as part of its primary function. 1. Ingestion points: Message text is retrieved via the getUpdates command in SKILL.md. 2. Boundary markers: None present. 3. Capability inventory: Includes network access via curl and local file reading via the @ flag in the sendPhoto command. 4. Sanitization: None present. This is documented as a functional surface and does not escalate the verdict.
Audit Metadata