telegram-skills-bin
Fail
Audited by Snyk on Jun 20, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). Yes — this is a direct download of a prebuilt executable from a third‑party GitHub Releases repo (roziscoding/telegram‑skills) that is executed without checksum/signature verification, a common malware distribution vector even if the release is version‑pinned.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's runtime bash wrapper downloads and execs a prebuilt binary from GitHub Releases (https://github.com/roziscoding/telegram-skills/releases/download/v1.4.0/telegram--), so it fetches and executes remote code as a required dependency.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata