Is rhlsthrm/telegram-history safe?
https://clawhub.ai/rhlsthrm/telegram-history
This skill provides legitimate Telegram message history functionality but requires careful consideration due to credential storage and external dependencies. While it uses official APIs properly, it creates security risks through plain-text credential storage and external package requirements that could be exploited.
Category Scores
Findings (6)
HIGH Requires external package installation -25 ▶
The skill requires installing the 'telethon' Python package without version pinning, which could introduce dependency vulnerabilities or supply chain attacks.
MEDIUM Stores API credentials in plain text -20 ▶
The skill instructs users to store Telegram API credentials in a local JSON file (api_credentials.json) without encryption, creating a potential credential exposure risk.
MEDIUM Creates persistent session files -15 ▶
The skill creates persistent authentication session files that contain login tokens, which could be misused if the system is compromised.
MEDIUM External service connections -10 ▶
The skill connects to external Telegram infrastructure to fetch message history, which involves transmitting potentially sensitive chat data over the network.
LOW References external credential source -15 ▶
The skill instructions direct users to visit https://my.telegram.org/apps to obtain credentials, which requires trusting an external service.
INFO Legitimate Telegram API usage -25 ▶
The skill appears to use official Telegram APIs legitimately for its stated purpose of fetching message history, with no evidence of malicious behavior beyond normal functionality risks.