Security audit

Telegram News Digest (Lite)

Security checks across malware telemetry and agentic risk

Overview

The skill coherently monitors public Telegram channels and summarizes them, but users should notice that channel text is sent to the configured LLM provider despite one confusing documentation line.

Install only if you are comfortable with public Telegram post text from monitored channels being sent to your configured OpenClaw or LLM gateway and digests being sent to the configured notification channel. Review the gateway URL/token, choose channels deliberately, and treat channel removal as a persistent local config/cache change.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The privacy section is misleading: summarization requires sending raw scraped Telegram message text to an external LLM provider, yet the document claims raw messages are not forwarded. This can cause operators to expose sensitive or regulated content to a third party under a false assumption about data handling.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill exposes a configuration-management entrypoint that writes directly to ./config.yaml and clears per-channel cache state, even though the skill is presented primarily as a monitoring and summarization pipeline. This expands the skill's effective privilege surface from read/process/notify into local state mutation, which can be abused by a caller to alter future monitoring behavior or erase history without a stronger authorization boundary.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill description emphasizes zero-auth Telegram scraping but omits that scraped message text is sent to an external LLM provider by default for summarization. That omission materially affects user consent and threat modeling because operators may assume all processing stays local except the final notification.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The tool descriptions authorize broad actions such as fetching remote content, generating summaries, modifying channel configuration, and delivering outbound digests, but they do not define when these actions should or should not be invoked. In an agent setting, vague activation criteria can cause overbroad tool use, including unintended network access, persistent configuration changes, or repeated outbound messaging based on ambiguous user requests.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The manifest explicitly permits network transmission to Telegram and third-party AI providers, writes local state/config files, and accesses gateway credentials, yet the description does not clearly warn users that scraped channel content may be sent to external summarization services and that configuration/state may be modified. This lack of transparency increases the risk of unintended data disclosure and persistent side effects when the skill is installed or invoked.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This code sends raw Telegram message contents to an external LLM endpoint for summarization without any visible consent, disclosure, minimization, or redaction controls. Even if the monitored channels are public, scraped content can still include sensitive personal data, copyrighted material, or unexpectedly risky text, and transmitting it to a third-party model service expands the data exposure surface.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal