Telegram Bot Factory

Security checks across malware telemetry and agentic risk

Overview

This is an informational Telegram bot development skill with no executable code, but real deployments using it may involve payments, moderation, posting, or user data.

Installing this skill appears low risk because it is instruction-only. Before using it to build or deploy real bots, especially payment, trading, moderation, subscription, or analytics bots, require secure token handling, payment verification, privacy controls, audit logs, testing mode, rollback options, and explicit human approval before live deployment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill advertises payment handling, crypto subscriptions, automatic payment confirmation, and user data management, but it provides no warning about financial risk, privacy handling, security obligations, or operational safeguards. In this context, users may rely on the skill for building systems that process money and personal data without being prompted to consider compliance, secret management, fraud prevention, or secure data practices.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal