Back to skill

Security audit

Telebiz Mcp

Security checks across malware telemetry and agentic risk

Overview

The skill has a legitimate Telegram automation purpose, but it exposes logged-in Telegram actions through unauthenticated local services that users should review before installing.

Install only if you trust the publisher and can keep ports 9716, 9717, and 9718 inaccessible to other users, websites, containers, and the network. Review every destructive or bulk Telegram action before allowing an agent to run it. Prefer a version that binds explicitly to 127.0.0.1 or a protected Unix socket, requires a random auth token, restricts CORS/origins, and lets you disable or scope destructive and batch tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises operational setup that uses shell commands, local network services, environment-based configuration, and long-running processes, but it does not declare permissions or clearly constrain those capabilities. This creates a trust gap: operators may approve a seemingly simple Telegram-access skill without realizing it can start services, expose local HTTP/WebSocket endpoints, and interact with the host environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior materially exceeds the stated purpose: beyond reading/searching/sending Telegram messages, it also runs a relay/server, exposes HTTP APIs, performs monitoring/daemon functions, and enables destructive and administrative Telegram actions such as deleting chats/messages, managing members, and creating groups. When a skill's declared purpose understates its real capabilities, users and policy systems can misclassify risk and authorize broader access than intended.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest description omits destructive and high-privilege capabilities like deleting chats/messages, adding or removing members, creating groups, and batch operations. In the context of an authenticated Telegram session, these omissions are especially risky because the skill can directly affect real communications, memberships, and account-visible state, not just read data.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The daemon binds an HTTP server on localhost and exposes a POST /call endpoint that forwards arbitrary tool names and arguments to the MCP process with no authentication, authorization, origin checks, or allowlist. Any local process—and in some environments even a web page via localhost requests or a co-tenant user on the same host—could invoke Telegram-capable tools through the authenticated session, leading to message sending, chat access, or broader MCP actions depending on available tools.

Intent-Code Divergence

Low
Confidence
92% confidence
Finding
The header explicitly states the daemon exposes an HTTP API for tool calls, and the implementation follows through with a generic tool invocation surface rather than a narrowly scoped reconnection helper. That design widens the attack surface because the service becomes a local RPC bridge into an authenticated Telegram session without any access control or least-privilege restrictions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The server explicitly sets `Access-Control-Allow-Origin: *` and exposes the `/mcp` endpoint without any authentication, allowing any website or local process that can reach the port to invoke authenticated Telegram MCP actions through the user's existing session. In this skill's context, the wrapped interface can read chats, search messages, manage folders, and send messages, so cross-origin or unauthorized access could directly lead to Telegram data exfiltration and account actions performed as the user.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The exposed toolset goes well beyond the stated description of listing chats, reading messages, searching, folder management, and sending messages. It also enables destructive and administrative actions such as deleting chats/messages, creating groups, adding/removing members, muting, pinning, and bulk operations, which creates a dangerous capability mismatch that can mislead users and downstream agents into granting more trust than warranted.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The batchSendMessage capability materially increases abuse potential by enabling automated bulk outreach/spam from an authenticated Telegram session, but that capability is not justified by the skill's stated purpose. In agentic contexts, understated mass-messaging features are especially risky because they can be invoked at scale without the user realizing the skill supports campaign-like behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The daemon exposes a local HTTP server on a fixed port with no authentication, and its /call endpoint forwards arbitrary tool names and arguments directly to the MCP process. Any local process, browser-based localhost attacker, or user in a shared environment that can reach 127.0.0.1:9717 can invoke Telegram-backed actions through the already-authenticated session, which expands access well beyond the intended CLI/interactive trust boundary.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The HTTP server exposes Telegram MCP operations at /mcp with no authentication, authorization, or origin restrictions, while explicitly enabling permissive CORS with Access-Control-Allow-Origin: *. Any local or network-reachable client that can connect to this port can invoke tools backed by an authenticated Telegram session, allowing reading messages, searching chats, managing folders, and sending messages as the logged-in user.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata describes access to Telegram chats, messages, folders, and sending messages, but the tool surface also includes materially broader account-management and destructive capabilities such as deleting chats/messages, creating groups, and adding or removing members. That mismatch can mislead users or orchestrators about the true authority granted to the skill, increasing the risk of unsafe approval and misuse.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The manifest omits bulk messaging and bulk chat-management operations, while the code exposes batchSendMessage, batchAddToFolder, and batchArchive. Bulk operations amplify impact substantially because a single approval can trigger mass outreach or large-scale account reorganization, which is more dangerous than the description suggests.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The relay allows any WebSocket peer to self-register as either a client or the sole executor with no authentication, authorization, origin checks, or channel binding. In this skill, the executor represents an authenticated Telegram browser session, so an attacker on the reachable network could impersonate an MCP client to drive Telegram actions or replace the executor and intercept/redirect requests, making the lack of access control materially dangerous.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The local HTTP API is silent and undisclosed at runtime while exposing sensitive capabilities over an authenticated Telegram session. Lack of user-facing warning increases risk because users may not realize a persistent daemon is listening for requests that can read or send Telegram data, reducing informed consent and making abuse by other local software harder to detect.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
This server forwards tool invocations and resulting Telegram data over a WebSocket relay with no user-facing disclosure, consent flow, or trust boundary explanation. Even though the default relay is localhost, the URL is environment-configurable and the code does not authenticate the relay or warn users that sensitive chat data may transit to another process or host.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This file creates a network-reachable API surface for tool invocation but provides no warning, consent flow, or safety disclosure to the user before exposing authenticated Telegram actions over HTTP. In the context of a skill that can read and send Telegram messages, silently opening such an API increases the chance of unintended exposure and misuse by other local software or browser-originated requests.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Tool arguments and resulting Telegram-derived data are sent over a WebSocket relay, but the code provides no user-visible disclosure, consent mechanism, or transport security guarantee. Even though the default relay is localhost, the URL is configurable and may point to a remote endpoint, creating a risk of silent transmission of sensitive chat content and metadata.

Exfiltration Commands

High
Category
Prompt Injection
Content
},
                toChatId: {
                    type: 'string',
                    description: 'The ID of the chat to forward messages to',
                },
                messageIds: {
                    type: 'array',
Confidence
78% confidence
Finding
forward messages to

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/daemon.js:36

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/http-server.js:30

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/daemon.ts:43

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/http-server.ts:40

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/daemon.js:19

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/daemon.ts:21