ClawHub

Telegram .md File Uploader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Telegram uploader for user-selected Markdown files, with sensitive external sharing behavior that matches its stated purpose.

Install only if you intentionally want to send selected Markdown files to a Telegram chat. Use a dedicated bot token, verify the chat ID, keep the token private, and review files for secrets or private content before uploading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs use of environment variables for a Telegram bot token and chat ID and performs outbound network transmission, but it does not declare corresponding permissions. That creates a transparency and governance gap: users or enforcement systems may not realize the skill can access secrets and exfiltrate workspace files to an external service, which is especially sensitive because the stated purpose is uploading local markdown files off-platform.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script uploads a local file to Telegram, which is an external third-party service, but it provides no explicit runtime confirmation or warning before transmitting workspace data. In an agent-skill context, this is risky because users may invoke the skill on sensitive workspace files and the transfer happens immediately once called.

External Transmission

Medium
Category
Data Exfiltration
Content
print(f"Error: {file_path} is not a valid Markdown (.md) file.")
sys.exit(1)

url = f"https://api.telegram.org/bot{token}/sendDocument"

try:
with open(file_path, 'rb') as f:
Confidence
96% confidence
Finding
https://api.telegram.org/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal