ClawHub

Telethon Master

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This Telegram automation skill is coherent, but it gives an agent broad real-account access to messages, media, group controls, broadcasts, and an under-declared raw MTProto method.

Install only if you intend to let the agent act through your Telegram account. Limit use to explicitly authorized chats and recipients, avoid bulk messaging unless recipients opted in, review any group-permission changes before execution, and be careful with TTS providers or media downloads that may expose private content.

SkillSpector (3)

By NVIDIA

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documented tool set lists eight telegram_* tools, but the skill later invokes an additional raw method capability via telegram_call_method to reach low-level MTProto functionality. This bypasses the declared interface boundaries and can enable broader account actions than users or reviewers would expect, increasing the risk of unauthorized or unsafe Telegram operations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises broad chat-history parsing, media access, and cross-chat analysis without prominently surfacing privacy, consent, and scope restrictions up front. In a Telegram account context, this can normalize access to private conversations and bulk analysis of user data beyond what a user may reasonably expect.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The usage guidance explicitly mentions automating broadcasts to subscribers, but does not pair that guidance with consent, anti-spam, or account-safety warnings at the point of use. This can facilitate abusive mass messaging or account sanctions, especially because the skill operates through a real user account rather than a constrained bot context.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal