Telebiz Mcp

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a real Telegram MCP bridge, but it exposes broad Telegram read/write/delete control through persistent unauthenticated local services.

Install only if you fully trust the publisher and the external @telebiz/telebiz-mcp package. Run it on a private machine, firewall ports 9716/9717/9718, bind services to localhost, add authentication, and require confirmation before any send, delete, forward, batch, or member-management action.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Env credential access

Critical

Finding: Environment variable access combined with network send.

Env credential access

Critical

Finding: Environment variable access combined with network send.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI02: Tool Misuse and Exploitation

High

What this means

A web page, local process, or reachable network client could invoke Telegram tools through the user's authenticated session, including sending or deleting messages.

Why it was flagged

The HTTP MCP endpoint accepts POSTed tool calls with wildcard CORS and no authentication, authorization, localhost bind, or per-tool approval check visible in the code.

Skill content

res.setHeader('Access-Control-Allow-Origin', '*'); ... if (req.url === '/mcp' && req.method === 'POST') { ... const result = await handleMcpRequest(body); } ... server.listen(HTTP_PORT, () => {

Recommendation

Bind the server to 127.0.0.1, remove wildcard CORS, require a local auth token, and require explicit user confirmation for destructive or outward-facing Telegram actions.

ASI07: Insecure Inter-Agent Communication

High

What this means

An unauthorized process that can reach the relay could send tool requests to the authenticated browser, or register as an executor and spoof or intercept agent interactions.

Why it was flagged

The relay accepts any connection that claims to be a client or executor and forwards client messages to the browser executor, with no identity verification or shared secret shown.

Skill content

const wss = new WebSocketServer({ port: PORT }); ... if (message.role === 'executor') { ... executor = ws; } else if (message.role === 'client') { clients.add(ws); } ... const response = await sendToExecutor(message);

Recommendation

Authenticate both client and executor connections, restrict the listener to localhost/private interfaces, and reject attempts to replace the executor unless explicitly approved.

ASI03: Identity and Privilege Abuse

High

What this means

The agent can act as the user on Telegram, including affecting private chats, public groups/channels, and other people through messages or member changes.

Why it was flagged

The skill operates through a full authenticated Telegram browser session and exposes account-level read/write/member-management actions rather than a narrowly scoped credential or read-only capability.

Skill content

Go to **https://telebiz.io** and login with your Telegram account. ... `sendMessage` ... `forwardMessages` ... `deleteMessages` ... `addChatMembers` ... `removeChatMember` ... `createGroup`

Recommendation

Use a dedicated low-risk Telegram account where possible, clearly declare the session credential boundary, and require explicit user approval before send, delete, forward, or member-management tools run.

ASI04: Agentic Supply Chain Vulnerabilities

Medium

What this means

The behavior ultimately depends on the external npm package version present on the machine, which may differ from what was reviewed here.

Why it was flagged

The core Telegram bridge is installed globally from npm without a pinned version in the setup instructions, and the reviewed wrapper later runs the telebiz-mcp command from the environment.

Skill content

npm install -g @telebiz/telebiz-mcp

Recommendation

Pin the @telebiz/telebiz-mcp version, verify its publisher/source, and avoid running unreviewed global updates with an authenticated Telegram session.

ASI10: Rogue Agents

Low

What this means

Telegram access may remain available longer than the immediate task, increasing exposure if another process can reach the local service.

Why it was flagged

The service is designed to keep the MCP subprocess alive by restarting it after exit, which is disclosed and purpose-aligned but creates persistent availability of the Telegram bridge.

Skill content

log('Auto-restarting MCP process...'); startMcpProcess().catch(e => log(`Restart failed: ${e}`));

Recommendation

Start the bridge only when needed, provide a clear stop command, and disable auto-restart/cron monitoring unless continuous Telegram access is required.