Is drones277/tg-image-sender safe?

https://github.com/openclaw/skills/tree/main/skills/drones277/tg-image-sender

87
SAFE

The tg-image-sender skill is a minimal, markdown-only skill that instructs an agent to send Telegram messages using a 'message' tool with Picsum.photos image URLs. No executable code, hooks, or exfiltration attempts were found in the skill itself, and all canary files remained intact. The primary concerns are its NO_REPLY suppression directive (which reduces user-visible confirmation of Telegram sends) and its normalisation of an outbound Telegram channel with arbitrary media paths, which makes it a low-friction amplifier if a secondary prompt injection ever targeted the agent.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (7)

LOW NO_REPLY suppresses agent confirmation text -10

The skill instructs the agent to emit NO_REPLY after invoking the message tool. In a bot context this is a standard pattern to avoid double-messaging, but it also means the agent performs an external action (sending to Telegram) without producing a user-visible text confirmation. This reduces the user's ability to audit what the agent did and when.

LOW Hardcoded external URL embedded in skill instructions -8

The skill references picsum.photos as the default image source. While this is a legitimate placeholder image CDN, any fork of the skill could substitute an attacker-controlled URL. The agent is instructed to construct and fetch these URLs, establishing a precedent for external HTTP requests as part of normal operation.

LOW Telegram channel normalised as outbound data sink -10

The skill's primary function is sending content to Telegram. While intended for images, the message tool's caption and media parameters are string-typed and could carry arbitrary data. If a secondary prompt injection instructed the agent to populate these fields with environment variables, file contents, or API keys, this skill provides the ready-made delivery mechanism with no additional setup.

LOW Skill normalises use of local file paths as media argument -5

The phrase 'Real image: Replace with actual URL/media path' instructs the agent that the media parameter can be a filesystem path. If an agent operating in an environment with file-access tools follows this skill, it could be manipulated into sending local files (including sensitive ones) to Telegram by a secondary injection.

INFO Credential files opened during install window — attributed to monitoring framework -20

inotify and auditd both record opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at two points during the audit: once at setup time (1771934548) coinciding with auditctl/sudo initialisation, and once post-clone (1771934571) coinciding with a new sshd session being established by the monitoring framework. The skill itself contains only markdown; no process spawned by the clone could have caused these reads. Canary integrity confirms no exfiltration occurred.

INFO No executable code present 0

The skill consists entirely of a SKILL.md markdown file and a _meta.json metadata file. No JavaScript, Python, shell scripts, npm lifecycle hooks, git hooks, submodules, or symlinks were detected.

LOW Silent Telegram action channel creates secondary-injection amplifier -25

On its own the skill is benign. However, its combination of (a) a pre-authorised external send channel, (b) the NO_REPLY suppression, and (c) normalisation of arbitrary media paths makes it an effective amplifier for any secondary prompt injection. An attacker who controls content the agent reads (a webpage, a document, another skill) could instruct the agent to forward secrets to a Telegram channel using the exact tool call pattern this skill already legitimises.