ClawHub
Back to skill

Security audit

Telegram Bot

Security checks across malware telemetry and agentic risk

Overview

This Telegram bot skill broadly does what it claims, but it automatically installs an unpinned package at runtime and can run local handler code, so users should review it before installing.

Review the script before installing. Prefer installing a pinned `python-telegram-bot` dependency yourself in a virtual environment, keep the Telegram bot token private, and only pass handler files that you wrote or fully trust. Avoid giving the bot broad group-admin permissions until its commands are tested.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
from telegram.ext import Application, CommandHandler, MessageHandler, filters, ContextTypes
except ImportError:
    print("Installing python-telegram-bot...")
    os.system("pip install python-telegram-bot")
    from telegram import Update
    from telegram.ext import Application, CommandHandler, MessageHandler, filters, ContextTypes
Confidence
96% confidence
Finding
os.system("pip install python-telegram-bot")

Dynamic import via __import__()

Medium
Category
Dangerous Code Execution
Content
# Import module
    module_name = Path(handler_path).stem
    try:
        return __import__(module_name)
    except Exception as e:
        print(f"Error loading handler: {e}")
        return None
Confidence
97% confidence
Finding
return __import__(module_name)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation instructs users to run shell commands and references executable scripts, but it declares no permissions or security boundary for shell/code execution. In an agent skill ecosystem, undeclared shell capability is risky because it can mislead reviewers and users about what the skill may do, reducing scrutiny around command execution and installation behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is bot creation/management, but the referenced behavior includes dynamically loading a user-supplied Python handler and running pip installation commands, which are powerful code-execution primitives not clearly disclosed in the skill description. This mismatch is dangerous because it hides materially riskier behavior behind a benign description, increasing the chance that arbitrary code or unreviewed packages are executed with insufficient oversight.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The --handler option allows the caller to point the bot at an arbitrary local Python file, which is then imported and executed. This creates a broad code-execution capability unrelated to simply creating and managing Telegram bots, making the skill substantially more dangerous in any environment where untrusted input can influence arguments or available files.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Automatically invoking pip through the shell introduces an unnecessary execution/install capability during normal operation. For a Telegram bot skill, dependency installation should not happen implicitly at runtime because it changes the system state, can break reproducibility, and may expose the host to supply-chain or environment-based abuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill tells users to obtain and pass a Telegram bot token but gives no warning that the token is a sensitive secret that grants control over the bot. Without guidance on secure storage and handling, users may expose the token in shell history, logs, source files, screenshots, or version control, enabling bot takeover.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill runs a shell command to install software without explicit confirmation or warning beyond a print statement. This is dangerous because it performs privileged or system-altering behavior unexpectedly, and in managed environments users may not realize the script is mutating the runtime or reaching out to package repositories.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.