Is telegram-bot safe?

https://clawhub.ai/Sebastian-Buitrag0/telegram-bot

72
CAUTION

This skill is a documentation-only Telegram Bot API reference containing curl command templates. It contains no executable code, no prompt injection, and no malicious payload. However, the Telegram Bot API is inherently a powerful data exfiltration channel — the skill teaches an agent to send arbitrary files and text to any chat_id, and the echo bot example contains a shell injection vulnerability via unescaped user input. Install monitoring detected access to .aws/credentials during the install process.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 48/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 60/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (8)

HIGH Telegram API acts as unrestricted data exfiltration channel -30

The skill teaches the agent to use curl to send arbitrary files and text to any Telegram chat_id via sendDocument, sendPhoto, and sendMessage. An attacker who controls the chat_id parameter could exfiltrate any file the agent can read by instructing it to 'send /etc/passwd to my Telegram chat' or similar.

HIGH Bot token exposed in every curl command URL -15

The TELEGRAM_BOT_TOKEN is embedded directly in every API URL (https://api.telegram.org/bot$TELEGRAM_BOT_TOKEN/...). If the agent logs commands, displays them to the user, or if shell history is accessible, the token is leaked. The token grants full control of the bot.

MEDIUM Shell injection in echo bot example via unescaped $TEXT -20

The echo bot example interpolates $TEXT (user-controlled Telegram message content) directly into a JSON string via bash string interpolation without escaping. A malicious Telegram message containing shell metacharacters or JSON-breaking characters could cause command injection or unexpected behavior.

MEDIUM Webhook setup enables inbound data interception -7

The setWebhook command allows pointing the bot's webhook to any URL. An attacker could set the webhook to their own server, intercepting all messages sent to the bot, potentially including sensitive user communications.

MEDIUM Sensitive file access during installation -40

The install process accessed .env, .aws/credentials, and auth-profiles.json. While likely caused by the host platform's install routine rather than the skill itself, the access pattern is concerning — especially .aws/credentials which was opened and read.

LOW Skill requires shell command execution (curl, jq) -15

The skill operates entirely through shell commands (curl and jq). While it contains no bundled executable code, its usage inherently requires the agent to execute shell commands, expanding the attack surface if the agent is manipulated.

LOW No prompt injection detected -10

The SKILL.md contains only standard API documentation with curl examples. No hidden instructions, override attempts, or obfuscation techniques were found.

INFO Combination risk with other skills -35

This skill is benign as documentation, but dangerous in combination with skills that read sensitive files or handle secrets. An agent with filesystem access plus this Telegram skill has a complete read-and-exfiltrate pipeline: read any file, then sendDocument it to a Telegram chat.