Back to skill

Security audit

Telegram Channel Reader

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it lets an agent read Telegram channels using the user's own Telegram credentials, with sensitive local session handling that users should understand before installing.

Install only if you are comfortable giving the agent read access to Telegram channels visible to your account, including private subscribed channels. Protect TG_API_HASH and both session files like account credentials, avoid printing secrets during testing, do not share or sync session files, and use --output/read_unread only when you want local retention of channel data or read history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script explicitly deletes existing Telegram session database files before re-authentication. Even though it asks for confirmation, this exceeds a read-only channel reader's expected scope and can cause loss of local authentication state, forced logout, or disruption of other tooling that relies on the same session file.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code has direct capability to unlink local authentication session files, which is a destructive action unrelated to merely reading Telegram channels. In a skill context, unnecessary file-deletion capability increases risk because a user may unintentionally destroy credentials or session state needed by other applications.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill persists per-channel read-tracking state to disk, which goes beyond the declared capability of reading posts/comments by time window. In an agent environment, silent persistence of what channels were accessed and the last-read message IDs can leak user interests, create recoverable activity history, and violate least-surprise/privacy expectations.

Description-Behavior Mismatch

Medium
Confidence
78% confidence
Finding
The skill advertises time-window-based channel reading, but it also persists per-channel read state and can silently change future fetch behavior to return only unread items. In an agent setting, hidden persistent state can undermine user expectations, cause incomplete collection, and create cross-run data retention that is broader than the stated purpose.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The README tells users that authentication creates a persistent Telethon session file but does not warn that this file contains reusable authenticated session data. If that file is copied by malware, included in backups, exposed through weak filesystem permissions, or accidentally shared, an attacker may be able to access the Telegram account through the existing session without repeating full authentication.

Vague Triggers

Medium
Confidence
74% confidence
Finding
The suggested usage triggers are broad phrases like 'check', 'read', or 'monitor' a Telegram channel, which can overlap with ordinary conversation and cause the skill to activate unexpectedly. In a skill that can access private Telegram content via a full-account session, accidental invocation raises privacy and data-minimization concerns.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide instructs users to print `TG_API_ID` and `TG_API_HASH` directly to the terminal, which can expose secrets through screen recording, shared terminals, terminal scrollback, or logging/observability tooling. While `echo` itself does not usually write to shell history, the practice unnecessarily reveals credentials and normalizes unsafe secret-handling during testing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The troubleshooting guidance tells users to delete the Telethon session file with a wildcard and immediately re-authenticate, but does not warn that this destroys current authenticated session state and may remove multiple related session artifacts. In an agent or automated context, destructive cleanup without confirmation can cause avoidable account disruption and loss of local authentication state.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script enables global DEBUG logging for Pyrogram and reads sensitive Telegram API credentials from environment variables or a local config file. Verbose auth logging can expose identifiers, request metadata, or other sensitive operational details in logs, and the script does not provide a strong warning about the privacy implications of running in debug mode.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill can write fetched Telegram content to an arbitrary local path without any warning or consent prompt about persistence. In agent or multi-tool workflows, this can cause unintended local retention of potentially sensitive channel content in locations accessible to other processes or users.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The auth flow prints the authenticated user's full phone number to stdout and includes it in JSON output, which can leak sensitive personal data into agent logs, terminal history, orchestration traces, or shared output files. In an agent environment, stdout is often collected automatically, so this disclosure is more dangerous than in an interactive local script.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.