Back to skill

Security audit

mapulse-korea

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real finance Telegram bot, but it retains and forwards sensitive user activity without enough clear notice, limits, or user controls.

Review before installing or deploying to real users. Use it only if you are comfortable operating a finance Telegram bot that stores user IDs, watchlists, preferences, alerts, and recent query history, and may send prompts or query-derived data to third-party AI and market-data services. Set ALLOWED_GROUPS explicitly, treat all API tokens as secrets, avoid enabling cron pushes until users have opted in, and require clear privacy, retention, deletion, and no-investment-advice controls before public use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (26)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The bot synchronizes Telegram user metadata and additionally fetches and stores profile photo file IDs in the database, even though this is not necessary for answering market-analysis queries. Collecting extra personal data expands privacy risk, increases breach impact, and creates unnecessary retention of user-identifying information.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The comment says an empty group whitelist should mean DM-only, but the actual logic returns True for all groups when the whitelist is empty. This misconfiguration-by-default can unintentionally expose the bot in group chats, causing user data processing and responses in contexts the operator may not have intended.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code stores per-user context, including ticker, intent, raw query text, and a response excerpt, creating undeclared retention of conversational history. In a finance bot, these records can reveal portfolio interests, investment concerns, and behavioral patterns, making the profiling risk more sensitive than in a generic chatbot.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This path also persists user query history and response excerpts through update_context, again without any visible notice or limitation. Because the bot handles financial questions in multiple languages, this can silently accumulate sensitive user-preference and market-interest data across sessions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The legacy processing path repeats the same behavior of saving conversational context and message excerpts, so the privacy issue exists in multiple execution paths rather than a single isolated feature. Multiple persistence points make the risk harder to audit and increase the chance of unnoticed long-term profiling.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The module persistently stores per-user language, watched tickers, inferred sector interests, and query history, which creates a user-profiling dataset beyond transient response generation. In a market-analysis bot, this is contextually relevant but still increases privacy risk because historical interests and queries can reveal investment behavior and sensitive financial preferences if the database is accessed or repurposed.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The crash-analysis prompt explicitly asks the model to help determine whether a sharp drop is a 'buying opportunity or a sign of deeper trouble,' which conflicts with the module's own no-investment-advice policy. In practice this can steer outputs toward actionable trading guidance despite the compliance language elsewhere, creating policy, legal, and user-harm risk.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documented behavior says direct user questions should bypass onboarding and be answered immediately, but the implementation first parses stock names, mutates the user's watchlist, and marks onboarding complete. That creates an unintended state-changing side effect from ordinary conversation, which can silently alter user preferences and downstream notifications without explicit consent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README states that the bot sends and receives Telegram messages and can optionally use third-party AI providers, but it does not clearly warn users that message content may be transmitted to external services or describe the privacy implications. In a bot that processes natural-language financial queries across Telegram chats, users may reasonably share sensitive watchlists, trading interests, or group discussion content without understanding that this data could be relayed to AI or other external data providers.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation guidance says users can 'type naturally' across broad market topics and examples, but it does not clearly define activation boundaries, supported commands, or constraints on what the bot will do with free-form input. Overly broad natural-language activation increases the risk of prompt abuse, unintended tool use, excessive data fetching, or users triggering functions they did not mean to invoke. In a Telegram bot context, ambiguous activation is more risky because untrusted public/group messages can be interpreted as commands.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The persistence section admits local storage of Telegram user records, watchlists, alerts, logs, and profiles, but it does not present this as a clear privacy warning or informed-consent notice. Users and operators may not realize that personally identifiable information and inferred preferences are retained, creating privacy, compliance, and misuse risk if the database is exposed or retained too long. This is more dangerous in this context because the bot appears consumer-facing and multilingual, increasing the chance that ordinary users interact without expecting profiling and storage.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The bot silently requests users' Telegram profile photos and stores the resulting file IDs without any user-facing notice or consent flow. Even if only the file ID is stored, it is still personal profile data tied to a user account and exceeds what users would reasonably expect from a stock-analysis bot.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The tutorial tells users to obtain and enter a Telegram Bot Token but does not warn that the token is a secret with full control over the bot. If users paste it into insecure places, share screenshots/logs, or store it carelessly during setup, an attacker could hijack the bot, read or send messages as the bot, and disrupt service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to configure an OpenRouter AI key without stating that it is a secret or that requests may send user or market-query content to a third-party AI provider. This creates both credential exposure risk and privacy/compliance risk, especially because the bot handles potentially sensitive chat content and user prompts.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The architecture explicitly describes day-2 user profiling, individual user delivery of market pushes, usage metrics, referral tracking, billing records, and persistent storage of user activity, but it does not mention consent flows, data minimization, retention limits, or privacy notices. In a financial-analysis Telegram bot, this creates a real privacy and compliance risk because sensitive behavioral and financial-interest data may be collected and processed without transparent user warning or clear controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document instructs use of bearer-token authenticated third-party APIs but provides no guidance on secret storage, rotation, scoping, or avoiding client-side exposure. In an agent skill context, this can lead developers to embed tokens in code, logs, or chat-visible prompts, enabling credential theft and unauthorized external data access.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The function builds external news-search requests using user-derived stock/entity names and sends them to Google News, Bing, and Yahoo endpoints without disclosure. Even if the data sent is often just a stock name, user prompts may contain sensitive interests or contextual entities, and the outbound requests expose user intent to third parties.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
URL shortening forwards article URLs to the is.gd third-party service without user awareness. That leaks browsing targets and potentially user-correlated reading interests to an external service, which is unnecessary for core financial-analysis functionality and creates an avoidable privacy exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
User queries and market data are automatically forwarded to Anthropic/OpenRouter during enrichment without any visible consent, warning, or per-request control in this code path. Because the bot handles finance-related questions, the transmitted content may contain sensitive user interests or behavioral signals, making undisclosed third-party sharing more dangerous in context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code stores language preference and rolling query history in a database with no visible notice, consent, or user control. Persisting finance-related query history can expose investment interests and behavioral profiles over time, so silent collection materially raises privacy and compliance risk.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code persists per-user conversation history, last queries, and assistant responses in a local SQLite database without any visible consent, retention notice, minimization, or deletion control in this component. For a Telegram market bot that may process investment questions and potentially identifying user IDs, this creates a privacy and data-exposure risk if the host is compromised, logs are inspected, or the database is reused beyond user expectations.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
User queries, chat history, and enriched market/context data are transmitted to a third-party LLM API, but this file contains no user-facing notice, consent flow, or minimization guardrails. For a finance bot, those prompts may contain sensitive portfolio interests, trading intent, or other personal data that users may not expect to leave the service boundary.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
This skill silently performs authenticated requests to a third-party service using a bearer token from the environment, with no disclosure to the operator or user about what external service receives the credential-backed traffic. In an agent skill context, undisclosed outbound authenticated integrations increase supply-chain and data-governance risk, especially because market-monitoring workflows may run automatically and repeatedly.

Ssd 3

Medium
Confidence
91% confidence
Finding
The bot persistently collects preference and query-history data, then uses those preferences to shape later model prompts, which compounds privacy risk by turning stored behavioral data into ongoing profiling context. In a stock-analysis setting, this can reveal sustained financial interests and inferred risk appetite, making any database compromise or misuse more impactful.

Ssd 4

Medium
Confidence
92% confidence
Finding
The crash-analysis workflow nudges the model toward implicit trading guidance by asking it to interpret a selloff in a way that naturally maps to entry/avoidance decisions. In a financial skill, this context makes the issue more serious because users are likely to act on quasi-recommendations even if explicit 'buy' or 'sell' wording is avoided.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.