ClawHub

Telegram History

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it grants reusable Telegram account access and handles login secrets in ways users should review carefully.

Install only if you are comfortable giving this skill reusable access to the Telegram account you log in with. Use a trusted local terminal, avoid putting login codes or 2FA passwords in shell history, chat, files, or other messengers, fetch only chats you are authorized to access, and delete the skill's session directory or revoke the Telegram session when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs users to access Telegram message history from 'any Telegram chat' using a user-account MTProto session, but it does not present a clear privacy or authorization warning before those instructions. That omission increases the risk that operators use the skill to access private conversations without proper consent, especially because a user session has broader access than the Bot API.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script accepts the Telegram verification code and optional 2FA password as command-line arguments and even prints usage examples that encourage this practice. On many systems, command-line arguments can be exposed through process listings, shell history, audit logs, or job runners, which can leak credentials that grant access to the user's Telegram account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal