add-telegram-swarm

Fail

Audited by Snyk on Jun 18, 2026

Risk Level: CRITICAL
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt explicitly asks the user to paste sensitive secrets (Telegram bot tokens and a Gemini API key) and instructs the agent to insert them verbatim into .env or shell commands (e.g., TELEGRA M_BOT_POOL, GEMINI_API_KEY), requiring the LLM to handle and output secret values directly, which is an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 0.90). The skill contains deliberate, high-risk behaviors: it instructs storing Telegram bot tokens and other API keys in .env/launchd and adding them to container allowlists so containerized agents receive live credentials, and it implements dynamic bot renaming which enables impersonation — together these create clear avenues for credential theft, data exfiltration, and abuse by remote agents.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

E006
CRITICAL

Malicious code pattern detected in skill scripts.

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 18, 2026, 12:13 AM
Issues
2
Security Audit — snyk — add-telegram-swarm