ClawHub

Telegram Media Resolver

Security checks across malware telemetry and agentic risk

Overview

This Telegram media resolver has a clear purpose, but installing it deserves Review because it can forward private Telegram messages to another chat, use a bot token, and leave downloaded or forwarded copies behind.

Install only if you are comfortable letting the agent use your Telegram bot token for chats where the bot is present. Use a limited-purpose bot, avoid sensitive group media, set --forward-to only to a private chat you control, and delete downloaded files after use. Treat the bot token as a secret and do not paste or log it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly performs network operations against the Telegram Bot API, but the documentation does not declare that capability as a permission or sensitive behavior. That omission reduces transparency and can cause an agent or reviewer to invoke the skill without understanding that it reaches external services and transfers chat content off the local context.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The advertised behavior focuses on resolving media placeholders, but the skill also forwards messages to another chat and deletes those forwarded copies. That hidden message-copying behavior materially changes the privacy and audit implications, because message contents may be exposed in a different chat and the cleanup step can reduce visibility into what happened.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill claims to resolve media placeholders into files, but it does so by forwarding the original message to another chat and then deleting that forwarded copy. This expands behavior beyond simple retrieval and can leak message content and metadata to an unintended destination if --forward-to is set differently, creating a privacy and data-handling risk.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The documentation says media is downloaded and returned as a local file path, but it does not prominently warn that untrusted remote content will be written to disk. This can create retention, privacy, and malware-handling risks if operators assume the action is transient or memory-only.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instructions explicitly show how to read a Telegram bot token from local configuration without any warning about credential sensitivity, least-privilege handling, or log exposure. In an agent setting, this increases the chance that secrets are echoed, stored in shell history, or exposed to downstream tools and prompts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill notes temporary forwarding but does not prominently emphasize that forwarding copies message content into another chat, potentially including private or sensitive media. In context, this is particularly dangerous because the skill is intended for group history and replied-to messages, where participants may not expect cross-chat duplication of content.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script performs privacy-impacting operations—forwarding message content, deleting the forwarded copy, and downloading media—without any explicit confirmation or warning. In the context of a Telegram message-processing skill, this can surprise operators and users and may cause unintended disclosure of private chat content to another chat or account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal