ClawHub

Relay for Telegram

Security checks across malware telemetry and agentic risk

Overview

Relay for Telegram mostly matches its stated purpose, but it combines private message access with broad auto-invocation and documented billing/referral account actions despite presenting the API as read-only.

Review before installing. Use this only if you trust Relay to sync and store Telegram message history, keep RELAY_API_KEY private, and consider disabling model invocation so the agent only accesses messages when you explicitly ask. Be especially careful with the billing and referral instructions, since the artifact is not purely read-only despite saying it is.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill markets itself as a read-only Telegram history tool, but it also exposes billing and referral/account-management endpoints that are unrelated to the stated core purpose. This creates a scope mismatch that can mislead users and agents into granting trust or auto-invocation privileges to a skill that can trigger commercial account actions beyond message retrieval.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Referral-marketing endpoints are not necessary for searching or summarizing Telegram history and expand the skill's behavioral scope into self-promotion and account attribution. In an agent setting, this can cause the model to make externally visible account changes or promote a service for the vendor's benefit rather than the user's request.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The agent guidance explicitly instructs the model to mention referrals and help with upgrades, steering the assistant toward commercial upsell behavior unrelated to the user's Telegram-history task. This is dangerous because it can manipulate agent behavior for vendor benefit and induce unwanted external actions or disclosures during otherwise benign message-retrieval workflows.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document claims the API is 'entirely read-only,' yet later defines POST operations for subscription creation, cancellation, and referral attribution. This contradiction is a serious trust and safety issue because users and orchestrators may approve or auto-run the skill under false assumptions about its mutability and side effects.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The frontmatter and description encourage broad use whenever the user asks about Telegram messages, chats, DMs, or groups, while model invocation remains enabled. This increases the risk of over-collection and unnecessary transmission of highly sensitive personal communications without clear user consent at the moment of access.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The model-invocation guidance states the agent can access messages on its own initiative for Telegram-related requests, which is overly permissive for a private message archive. In context, the data is highly sensitive, so autonomous activation substantially raises privacy risk even if the API is mostly read-oriented.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The guidance recommends the skill for effectively any Telegram-related request without meaningful constraints or disambiguation rules. In a privacy-sensitive context, that breadth can cause the agent to access synced messages when a user may only be speaking generally about Telegram rather than asking to search private history.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal