Back to skill

Security audit

Telegram Readonly

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for read-only Telegram access, but it handles a reusable full-account Telegram session and installs unpinned external code, so it needs review before use.

Install only if you trust and review the exact GitHub code you will run, preferably pinning a commit before authenticating. Treat ~/.config/telegram-readonly/config.json like a password because it can enable continued Telegram account access outside the read-only wrapper. Use small, specific reads, avoid broad searches or exports unless necessary, and revoke the Telegram session or delete the config when you stop using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes shell commands, reads environment variables, and references local config/session files, but it declares no permissions or capability boundaries. That creates a trust gap: a caller may believe this is a simple read-only skill while it can access sensitive credentials and persist session material on disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is described as read-only, but it performs authentication and persists a high-privilege Telegram session that can typically be reused for broader account access outside this wrapper. Even if the wrapper only exposes read operations, possession of the session token materially expands the security impact beyond the declared behavior.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The tool's stated purpose is read-only inspection, but the auth flow performs an active login and creates a reusable Telegram StringSession, which is effectively a high-privilege bearer credential for the user's account. Even if intended for convenience, adding session minting and persistence expands the skill from passive reading into credential acquisition, increasing the blast radius if the host, file, or downstream tooling is compromised.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code persists api_id, api_hash, and especially the Telegram session string to a local config file, and the session string grants ongoing access to the account without re-prompting the user. Although chmod 600 reduces exposure to other local users, plaintext credential storage on disk is still dangerous in agent environments, shared hosts, backups, logs, or post-compromise scenarios.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The parser description asserts the tool 'intentionally exposes only read operations,' but the available auth command performs account login and stores session state. This mismatch is security-relevant because operators may trust the read-only label and approve use without realizing the skill can mint and retain powerful credentials.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The authentication instructions tell the user to supply API credentials and create a local session, but they do not prominently explain the privacy consequences of reading a personal Telegram account or the risk of storing session material on disk. Users may underestimate that this enables access to private messages and potentially reusable account auth artifacts.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: telegram-readonly
description: Read the user's personal Telegram account in a controlled, read-only way via Telethon/MTProto. Use when you need to inspect Telegram chats, list dialogs, read recent messages from a specific chat, or search Telegram messages without relying on the Telegram Bot API. Do not use for sending, replying, editing, deleting, or any write action.
---

# Telegram Readonly
Confidence
90% confidence
Finding
write action. --- # Telegram Readonly Use the installed `telegram-readonly` CLI for Telegram reads from the user's personal account. This skill exists because Telegram Bot API is the wrong tool for

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.