The skill has a legitimate Telegram automation purpose, but it exposes logged-in Telegram actions through unauthenticated local services that users should review before installing.
Install only if you trust the publisher and can keep ports 9716, 9717, and 9718 inaccessible to other users, websites, containers, and the network. Review every destructive or bulk Telegram action before allowing an agent to run it. Prefer a version that binds explicitly to 127.0.0.1 or a protected Unix socket, requires a random auth token, restricts CORS/origins, and lets you disable or scope destructive and batch tools.