cleanup-deleted
Warn
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill accesses highly sensitive Telegram session files located at
~/.local/share/telethon/<profile>.session. These files contain full authentication credentials for the user's Telegram account. - [COMMAND_EXECUTION]: The skill uses a Bash heredoc to execute a Python script (
cleanup_deleted.py) via theuvrunner. This provides a direct path for executing code that interacts with the filesystem and the Telegram API. - [PROMPT_INJECTION]: The 'Self-Evolving Skill' and 'Post-Execution Reflection' sections explicitly instruct the agent to modify the
SKILL.mdfile itself. This self-modification pattern can be used to bypass safety constraints or persist malicious logic if the agent is influenced by external data or workarounds during execution. - [PROMPT_INJECTION]: The skill processes untrusted external data (Telegram chat lists and contact names). This presents an indirect prompt injection surface where malicious strings in a contact's profile could attempt to influence the agent's logic during the scan and purge process.
- Ingestion points: Reads Telegram dialog list and contact list via the
telethonlibrary. - Boundary markers: None identified in the provided instructions to separate contact data from instructions.
- Capability inventory: Subprocess execution via
uv run, filesystem access to session files. - Sanitization: No evidence of sanitization for contact names or profile data before processing.
Audit Metadata