Security audit

Telegram Bot Builder

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent set of Telegram Bot API examples; it can control a bot if given a token, but that access matches its stated purpose.

Install only if you intend to let an agent help operate a Telegram bot. Use a dedicated bot token, keep it out of chats, logs, screenshots, and repositories, test commands in a private chat first, verify chat/user/message IDs before write or moderation actions, and configure webhooks only to HTTPS endpoints you control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to place the Telegram bot token directly into an environment variable and then use it in URLs for repeated network requests, but it does not warn that the token is a bearer secret that grants control of the bot. Because the token is embedded in request paths, it may be exposed through shell history, logs, process listings, screenshots, or copied examples, increasing the risk of bot takeover if mishandled.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation includes potentially destructive administrative actions such as setting webhooks, deleting webhooks, banning users, deleting messages, and pinning messages without cautionary guidance. Users may unintentionally disrupt production bots, moderation state, or chat content, especially if commands are copied verbatim into real environments.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal