Telebiz Mcp

This skill appears to do what it claims (bridge an authenticated telebiz browser session to an MCP API), but take precautions before installing: - Network exposure: by default the relay and HTTP server bind to all interfaces (0.0.0.0) and the HTTP server sets Access-Control-Allow-Origin: *. That means if your machine is reachable on the network, remote hosts could talk to the service and indirectly act using your logged-in Telegram session. Only run this on a trusted, firewalled host or change bindings to 127.0.0.1. - Limit interfaces: set TELEBIZ_HTTP_PORT/TELEBIZ_PORT/TELEBIZ_RELAY_URL or edit the server code to listen only on 127.0.0.1, or run the service inside a local-only container or VM. - Review startup scripts: inspect start-http.sh, start-relay.sh, and telebiz-service.sh before running them — telebiz-service.sh may install a systemd service or otherwise create persistent system-level configuration. - Principle of least privilege: do not run as root. Keep the service confined to a dedicated user or container. - Authenticate and audit: the skill will be able to read and send messages using your authenticated browser session — treat it like any other app with access to your account. Only install if you trust the telebiz package source and the skill code; consider running it in an isolated environment first. - If you want to proceed: change the server listen calls to bind to 127.0.0.1 (or add host argument), remove or tighten the CORS wildcard, and ensure your firewall blocks external access to ports 9716/9717/9718 (or whichever you use). If you cannot validate the telebiz package origin or you need to expose functionality to other hosts, audit the code carefully and prefer running it inside a network-restricted container/VM.