ClawHub

Telegram Autopilot

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about automating Telegram, but it gives an AI userbot long-running control over a personal account and private chats with weak consent and secret-handling safeguards.

Install only if you are comfortable letting a long-running AI userbot read and send Telegram messages as you. Use a narrow contact whitelist, disclose automation where appropriate, avoid sensitive chats, protect session/config/history files like passwords, avoid passing 2FA secrets on the command line, and enable owner notifications only for a bot and chat you fully control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly requires file writes and network access to store Telegram sessions/configuration and communicate with Telegram, AI providers, and optional notification bots, yet no permissions are declared. This creates a governance gap: users and orchestrators are not given an accurate security boundary for a skill that handles highly sensitive credentials and private communications.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This script can create a new Telegram channel, upload paid media into it, export an invite link, and distribute that link to a target user. Those actions materially exceed a typical 'autopilot/private-message auto-reply' scope and enable the skill to publish and distribute monetized content as the user, which increases the risk of unauthorized account activity, spam, fraud, or policy-violating behavior if triggered without explicit informed consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly advertises owner notifications that forward private messages and replies, but it does not present a strong, upfront privacy warning or consent requirement for third-party correspondents whose content will be disclosed. In the context of a personal Telegram autopilot, this creates a real privacy risk because users may enable surveillance-like forwarding without understanding the legal and ethical implications for other participants.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad phrases such as 'manage my telegram' and 'respond for me', which could activate a high-risk skill in contexts where the user did not intend to authorize account automation or message handling. Because this skill can act as the user, broad activation materially increases the chance of unintended access to secrets, account actions, or private-chat processing.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The document says the AI should 'Never reveal it's AI' while later stating it should be honest if directly asked whether it's AI. Conflicting disclosure rules are dangerous because they encourage deceptive impersonation by default and make operator behavior unpredictable in sensitive interpersonal conversations.

Missing User Warnings

High
Confidence
96% confidence
Finding
The handler forwards private Telegram message content and conversation history to an external AI provider to generate replies, but the code contains no explicit disclosure, consent gate, or per-contact warning before sharing third-party message data. In the context of a personal userbot that impersonates the account owner in private chats, this creates a significant privacy and compliance risk because correspondents may reasonably expect their messages are only seen by the user, not transmitted to external model vendors.

Missing User Warnings

High
Confidence
97% confidence
Finding
The code sends incoming private message content to a separate Telegram bot notification channel, duplicating private correspondence to another recipient/context without any in-code disclosure or authorization flow. This expands exposure of sensitive data beyond the original chat and can leak confidential information if the bot token, bot operator, or destination chat is misconfigured or compromised.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The OTP code is persisted to a plaintext file on disk, creating an unnecessary secret-at-rest that may be readable by other local users, backup systems, logs, or later processes. In the context of a Telegram userbot login flow, this is more sensitive than a generic form input because the code can be used to complete authentication to the user's personal account if accessed quickly.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script sends a direct message containing a generated invite link immediately after creating/exporting it, with no interactive confirmation, recipient verification, or warning to the user. In the context of a userbot acting as the user's identity, silent outbound messaging is dangerous because it can be abused to spam contacts, distribute unwanted or fraudulent links, or perform social-engineering actions from a trusted account.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script prints the one-time login code to stdout via `print(f"GOT_CODE: {code}")`. OTPs are authentication secrets; exposing them in logs, terminal history, CI output, or supervisor process capture can let anyone with log access complete or replay the login flow during the valid window. In this skill context, the code is used to authenticate a Telegram user account, so leaking the OTP directly enables account takeover during setup.

Ssd 3

Medium
Confidence
95% confidence
Finding
Forwarding every incoming private message and generated reply to the owner is a built-in data leakage path for conversation content. Even if intended as a monitoring feature, it increases exposure of sensitive messages, especially when paired with bot tokens or third-party infrastructure that may store or relay the content further.

Ssd 3

Medium
Confidence
94% confidence
Finding
The security notes confirm that notifications forward user messages to the owner, reinforcing that the product intentionally leaks private chat content beyond the original participants. Because this is documented as a normal feature rather than a tightly constrained debugging mode, the skill context makes the privacy risk more concrete and operational.

Ssd 3

High
Confidence
97% confidence
Finding
Forwarding incoming private messages and sent replies to the owner via a bot creates a deliberate data leakage channel out of personal chats. This can expose sensitive conversations, attachments, identifiers, and metadata to additional infrastructure and credentials beyond the original Telegram account.

Ssd 3

Medium
Confidence
84% confidence
Finding
The skill is expressly designed to read private messages and respond as the user, which inherently processes personal communications and enables impersonation-style interaction. In this context, the risk is not just automation but covert handling of sensitive chat content and acting under the user's identity without recipient awareness.

Ssd 4

High
Confidence
96% confidence
Finding
The combined instructions to mark messages as read, simulate human typing, maintain a persona, and avoid revealing AI identity form a deception-oriented design. This is especially dangerous in a personal messaging context because it can mislead contacts into believing they are communicating directly with the user, enabling social engineering, trust abuse, and non-consensual impersonation.

Exfiltration Commands

High
Category
Prompt Injection
Content
- **Never commit** `config.json` (contains API keys) or `.session` files
- **OTP server** binds to `127.0.0.1` only — never expose it to the network
- **Transparency:** If someone directly asks if they're talking to AI, the bot is honest
- **Notifications** forward messages to the owner — ensure you control the bot token
- Telegram may restrict accounts with aggressive automation — natural delays are built in
- Only one process can use a session file at a time
- Using a userbot may violate Telegram ToS — use at your own risk
Confidence
90% confidence
Finding
forward messages to

Exfiltration Commands

High
Category
Prompt Injection
Content
- **Session security:** The `.session` file grants full access to the account. Protect it like a password.
- **Transparency:** The AI is instructed to be honest if directly asked whether it's AI.
- **OTP server:** `code_server.py` binds to `127.0.0.1` (localhost only). Never expose it to the network.
- **Notifications:** The skill can forward messages to the owner via bot. Ensure you control the bot token and chat_id.
- **Rate limits:** Telegram may restrict accounts with aggressive automation. The autopilot uses natural delays.
- **One session at a time:** Only one process can use a session file. Stop autopilot before running other scripts.
- **Platform policies:** Using a userbot to auto-reply may violate Telegram ToS. Use at your own risk.
Confidence
94% confidence
Finding
forward messages to

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal