Is fourthdensity/telegram-context safe?

https://github.com/openclaw/skills/tree/main/skills/fourthdensity/telegram-context

82
SAFE

The fourthdensity/telegram-context skill is a pure instruction-based skill with no executable code, no direct data exfiltration, and clean clone behavior. Its primary risk is architectural: by automatically fetching Telegram messages at session start and injecting them into the agent context, it creates a persistent indirect prompt injection surface exploitable by any party who can send messages to the monitored chat. The skill is transparent about sending message content to the LLM provider, but the default-on auto-fetch warrants user attention before deployment.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (5)

MEDIUM Automated Indirect Prompt Injection via Telegram Messages -28

The skill instructs the agent to automatically fetch Telegram message history at every session start and load it into the active context window before any user interaction. Any participant who can send messages to the monitored Telegram chat can inject adversarial instructions that the agent will process as part of its context. This is a persistent, automated indirect prompt injection surface that activates every session without explicit user approval.

LOW Telegram Message Content Transmitted to External LLM Provider -20

The skill's core function causes private Telegram conversation history to be included in LLM API calls. The skill discloses this in its Privacy section, but users may not fully appreciate that enabling auto-fetch means every session leaks recent message history to the LLM provider. This is an architectural concern rather than a hidden malicious behavior.

LOW Default-On Auto-Fetch Creates Persistent Attack Surface -35

The skill enables auto-fetch by default (enabled: true) with fetchCount: 20, meaning installation immediately opens a persistent indirect injection channel unless the user explicitly disables it. Combined with other installed skills that have file or network access, a compromised or malicious Telegram contact could guide the agent into performing sensitive actions.

INFO Pure Instruction Skill — No Executable Artifacts 0

The skill contains only SKILL.md (instructions) and _meta.json (metadata). No scripts, binaries, package manifests, git hooks, submodules, or symlinks were found. Installation monitoring confirms only these two files were written to the skill directory.

INFO Canary File Reads Attributable to Audit Framework 0

Access to .env, .ssh/id_rsa, .aws/credentials, and other honeypot files was observed in inotify and auditd logs. Analysis of EXECVE records and timestamps confirms these reads occurred at 1771929715 (pre-clone baseline by sudo/audit setup) and 1771929732 (post-install canary integrity verification by the audit framework), not from the skill or its installation. Canary integrity check confirms no modification or exfiltration.