Security audit

Telegram Tools Suite

Security checks across malware telemetry and agentic risk

Overview

This is a high-risk but openly documented Telegram automation toolkit, with sensitive actions mostly tied to explicit user commands and local configuration.

Install only if you trust the publisher and are comfortable granting this tool access to a Telegram account. Prefer a test account, keep .env and userdata/*.session private, review config files before enabling join or send-schedule, and treat member/history output plus Excel/JSON reports as sensitive data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (18)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documentation indicates access to environment variables and reading/writing local files, including sensitive `.env` and `*.session` artifacts, but it does not declare corresponding permissions. This creates a transparency and least-privilege failure: users or hosting platforms may authorize the skill without understanding it handles high-sensitivity credentials and session state.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The stated description understates the actual data-handling and account-access behavior: the skill also performs authentication, account-info disclosure, group enumeration, member export, and message-history export. That mismatch is dangerous because operators may consent to a monitoring/sending tool without realizing it can collect and expose personal data and full account context, increasing privacy, compliance, and abuse risk.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The README presents the package primarily as a monitoring and search toolkit, but it also documents batch group joining and scheduled bulk messaging, which are materially different and higher-risk capabilities. This mismatch can mislead users or integrators about the operational scope of the skill, reducing informed consent and making potentially abusive automation easier to deploy under a softer description.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The package metadata advertises only Telegram monitoring and group search, while the skill description claims additional capabilities such as bulk group joining and scheduled sending. This mismatch is a supply-chain transparency problem: reviewers and users may underestimate the package’s behavior, especially because the broader skill context already involves automation, persistent sessions, and higher-risk Telegram actions.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The module does substantially more than a simple group search: it enumerates groups, collects member counts, visibility, inferred posting permissions, message activity, earliest/latest message timestamps, and persists the results to an Excel report. In a Telegram automation context, this creates a durable reconnaissance dataset about third-party groups that may exceed user expectations and increases privacy and misuse risk if the report is accessed or repurposed.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The defaults enable automatic execution on startup and scheduled recurring runs, turning the tool into a long-lived monitoring daemon rather than a one-shot search utility. In this skill's context, persistent unattended collection materially increases the scale of data gathering and the chance of unnoticed or unauthorized surveillance behavior.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The tool enumerates and prints a full group roster including user IDs, names, usernames, and phone-related data to stdout, which exposes privacy-sensitive information beyond what is necessary for basic monitoring. In the context of a Telegram automation suite that already supports monitoring and bulk operations, this creates a practical member-harvesting capability that could be misused for surveillance, targeting, or downstream spam.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Even though the phone value is masked before display, the code still accesses participant.phone and reveals whether a public phone number exists along with partial digits. Phone-related data is especially sensitive, and its collection is not clearly required for group monitoring, making this an unnecessary privacy exposure that can aid identification or correlation of users across datasets.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The scheduled messaging feature enables automated message delivery to Telegram groups, which can be used for spam, unauthorized outreach, or repeated actions without active user oversight. Although the README notes an enable flag and some rate limits, it does not prominently warn about abuse potential, account sanctions, privacy implications, or the risk of sending messages to unintended targets from persisted configuration.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code persists a detailed inventory of the user's joined Telegram groups/channels to a local JSON file under the project directory, including IDs, names, and public usernames, without any explicit warning, consent flow, retention limit, or protection on the file. In the context of a Telegram automation skill that already handles sensitive session material, this expands the local privacy footprint and can expose a user's associations if the host is shared, compromised, or the userdata directory is later copied or committed.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The code sends detailed group metadata and the exported report path to Telegram without any warning, consent checkpoint, or sensitivity labeling. Because the tool uses a user session and pushes reconnaissance results to a chat target, users may unknowingly distribute sensitive collected data, especially when long-running scheduled mode is enabled.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This code enumerates all joined chats/channels and prints their titles and IDs directly to stdout without any explicit consent prompt, redaction, or warning about the sensitivity of the data. In this skill's context, group membership and channel identifiers are sensitive account metadata that can expose affiliations, targets of interest, or operational context, especially if logs are captured or shared.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This code retrieves recent Telegram messages and prints full message text along with participant names directly to stdout, which can expose sensitive chat content and identities to terminal logs, shell history capture, CI logs, or other observers of the execution environment. In the context of a Telegram automation suite that monitors groups and handles sensitive session state, this increases privacy and data-leak risk even if the behavior is intentional.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code outputs privacy-sensitive participant information directly to the console without warning, confirmation, or any indication of safe handling requirements. Because command-line output is often copied, logged, or persisted in terminal history, this increases the likelihood of unintended disclosure of member data to operators, logs, or other local users.

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 与 pyproject.toml 同步 telethon>=1.34.0 openpyxl>=3.1.0 python-dotenv>=1.0.0
Confidence: 93% confidence
Finding: telethon>=1.34.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 与 pyproject.toml 同步 telethon>=1.34.0 openpyxl>=3.1.0 python-dotenv>=1.0.0
Confidence: 97% confidence
Finding: openpyxl>=3.1.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 与 pyproject.toml 同步 telethon>=1.34.0 openpyxl>=3.1.0 python-dotenv>=1.0.0
Confidence: 91% confidence
Finding: python-dotenv>=1.0.0

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low

Category: Supply Chain
Confidence: 71% confidence
Finding: python-dotenv

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal