telegram
Warn
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [DYNAMIC_EXECUTION]: The script
scripts/telegram_memory.pymodifies the Python module search path (sys.path) at runtime to include directories in the user's home folder (~/.claudicle/adapters/shared,~/.claudicle/daemon, and~/.claude/skills/shared). This allows the skill to dynamically load code from computed local paths outside its own directory. - [INDIRECT_PROMPT_INJECTION]: The skill ingests and processes messages from external Telegram users, which are stored in
~/.claudicle/daemon/inbox.jsonl. This data is untrusted and could contain malicious instructions designed to manipulate the agent. - Ingestion points:
~/.claudicle/daemon/inbox.jsonl(incoming message log). - Boundary markers: The documentation in
SKILL.mdstates that user input is sanitized for XML tags before processing. - Capability inventory: The skill can send messages (
telegram_send.py), manage persistent user memory, and access various internal data structures. - Sanitization: Sanitization for XML tags is claimed in the documentation.
- [DATA_EXPOSURE]: The skill accesses sensitive local files including message history logs (
~/.claudicle/daemon/inbox.jsonl) and the agent's internal memory models (~/.claudicle/daemon/memory/). Access to these files is necessary for the skill's stated purpose but represents an exposure risk if misused.
Audit Metadata