Telegram语音消息技能包:基于实际踩坑经验的完整解决方案，帮助AI助手正确发送Telegram语音消息。解决WAV格式错误、缺少asVoice参数、TTS音频URL过期等常见问题。

Security checks across malware telemetry and agentic risk

Overview

This Telegram voice-message skill is mostly purpose-aligned, but it includes runnable examples and scripts with command-execution and unsafe automation patterns that deserve manual review before use.

Install only if you are comfortable reviewing and hardening the scripts first. Use test-only Telegram/TTS credentials, avoid sensitive text, remove eval and remote source patterns, require webhook authentication before exposing any server, disable cross-channel forwarding of original content, and store secrets in environment variables or a secret manager rather than plaintext config files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (22)

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The webhook server example accepts arbitrary POST requests from any source and immediately processes attacker-controlled text, while the document separately presents signature verification without integrating it into the handler. In this context, that means unauthenticated remote users can trigger TTS generation, outbound messaging, and downstream command execution paths, making abuse straightforward and materially increasing risk.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The document states that all examples follow security best practices, but the included CLI example writes secrets such as Telegram and API keys to a local config file and later executes that file with `source`. This is misleading security guidance because users may trust the examples as hardened when they are not, increasing the chance of unsafe deployment and credential exposure.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The script is presented as a validation utility, but `check_permission` performs a state-changing operation by running `chmod +x` on files. Even though this is not overtly malicious, hidden mutation in a verifier can violate operator expectations, alter repository state, and make previously non-executable files runnable without explicit consent.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The OpenClaw code path claims to send a message but only prints placeholder text and unconditionally returns success. In automation, this can cause operators or downstream workflows to falsely believe notifications were delivered, leading to silent alert loss or missed incident response actions.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The method claims to return a configuration summary without sensitive information, but it still exposes prefixes and suffixes of bot tokens and API keys. Partial secret disclosure can aid credential correlation, validation, log scraping, and targeted exfiltration, especially if summaries are printed or stored in logs as shown in the example flow.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The quick-start section instructs users to export real Telegram and TTS credentials and immediately send a message to Telegram, but it does not warn that this uses live secrets and transmits data to an external third-party service. In a skill intended for AI assistants, this can lead to accidental use of production credentials, unintended outbound messaging, and disclosure of user content or metadata during testing.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README gives concrete examples for sending user-provided text/audio to Aliyun, OpenAI, and Telegram, but it does not present a prominent user-facing disclosure that content will leave the local environment and be processed by third parties. In a skill meant for automation, this omission can lead operators to unknowingly transmit sensitive text, voice, or identifiers to external services.

Missing User Warnings

High

Confidence: 92% confidence
Finding: The fallback logic resends the original message content to alternate services such as Slack and WeWork when Telegram delivery fails. That creates cross-channel data disclosure, potentially exposing sensitive content to different providers, different audiences, and different retention policies without any minimization or consent controls.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The examples instruct users to send message content to external TTS providers and Telegram without any privacy warning. In this skill context, the main function is external transmission of user-provided text and generated audio, so omitting disclosure can lead users to unknowingly send sensitive data to third parties.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The CLI example saves bot tokens and API keys to a file in the user's home directory but does not explicitly warn that sensitive credentials are being written to disk. Even with mode 600, local storage increases exposure through backups, shell history during entry, endpoint compromise, or accidental disclosure.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The example sends error context and message content to Slack without warning that operational data may leave the local environment. In practice, error strings and context often contain user content, identifiers, file paths, or other sensitive details, so this can lead to unintended third-party disclosure.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The script builds an ffmpeg command as a shell string and executes it with eval, while interpolating user-influenced values such as input_file, output_file, bitrate, sample_rate, and channels. Even though some values are quoted in the string, eval causes a second round of shell parsing, which can turn crafted input into command injection and arbitrary command execution.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script changes permissions automatically without prior confirmation, dry-run output, or a documented repair mode. In a shared workspace or untrusted repository, this can unexpectedly modify files, interfere with review workflows, and increase the chance that later tooling executes files that were intentionally non-executable.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The save routine serializes bot tokens and API keys directly to JSON on disk without warning, permission hardening, or encryption. If the file is stored in an insecure location, committed to source control, backed up, or read by other local users/processes, long-lived credentials may be exposed and abused.

Ssd 3

High

Confidence: 95% confidence
Finding: The example explicitly forwards plaintext original message content to external notification channels during failure handling. In an automation skill that may process private user text, this increases the blast radius of any single send failure and can leak sensitive content into systems with broader membership, weaker controls, or longer retention.

External Transmission

Medium

Category: Data Exfiltration
Content: local output_file="$2" # API调用（使用环境变量） curl -X POST "https://dashscope.aliyuncs.com/api/v1/services/aigc/multimodal-generation/generation" \ -H "Authorization: Bearer $ALIYUN_TTS_API_KEY" \ -H "Content-Type: application/json" \ -d "{
Confidence: 91% confidence
Finding: curl -X POST "https://dashscope.aliyuncs.com/api/v1/services/aigc/multimodal-generation/generation" \ -H "Authorization: Bearer $ALIYUN_TTS_API_KEY" \ -H "Content-Type: application/jso

External Transmission

Medium

Category: Data Exfiltration
Content: sys.exit(1) " | while read url; do # 立即下载（URL可能很快过期） curl -s -o "$output_file" "$url" done }
Confidence: 87% confidence
Finding: curl -s -o "$output_file" "$url" done } # 主函数 main() { check_config text="$1" output_file="/tmp/audio_$(date +%s).wav" echo "生成音频: ${text:0:50}..." generate_audio "$text"

External Transmission

Medium

Category: Data Exfiltration
Content: #### OpenAI TTS示例 ```bash # 使用OpenAI TTS curl https://api.openai.com/v1/audio/speech \ -H "Authorization: Bearer $OPENAI_API_KEY" \ -H "Content-Type: application/json" \ -d '{
Confidence: 90% confidence
Finding: https://api.openai.com/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ```bash # ✅ 安全清理 cleanup() { rm -f "$temp_dir"/*.wav rm -f "$temp_dir"/*.ogg rm -f "$temp_dir"/*.tmp }
Confidence: 87% confidence
Finding: rm -f "$temp_dir"/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: # ✅ 安全清理 cleanup() { rm -f "$temp_dir"/*.wav rm -f "$temp_dir"/*.ogg rm -f "$temp_dir"/*.tmp }
Confidence: 87% confidence
Finding: rm -f "$temp_dir"/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: cleanup() { rm -f "$temp_dir"/*.wav rm -f "$temp_dir"/*.ogg rm -f "$temp_dir"/*.tmp } # 确保清理
Confidence: 87% confidence
Finding: rm -f "$temp_dir"/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: while true; do sleep 3600 # 每小时清理一次 find /tmp -name "telegram_voice_*" -type d -mmin +60 2>/dev/null | \ xargs rm -rf 2>/dev/null || true done ) & }
Confidence: 91% confidence
Finding: rm -rf 2>/dev/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal