dump-channel
Fail
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill is configured to access the
~/.local/share/telethon/directory, which contains Telethon session files. These files store unencrypted authentication tokens that grant full programmatic access to a Telegram account, bypassing the need for passwords or multi-factor authentication if compromised. - [PROMPT_INJECTION]: The skill includes explicit instructions for "Self-Evolving" behavior, directing the agent to modify the
SKILL.mdfile immediately upon encountering runtime issues or "workarounds." This autonomous self-modification logic creates a persistent attack vector where malicious instructions can be permanently written into the skill if the agent is influenced by external data or induced errors. - [PROMPT_INJECTION]: The skill processes untrusted content from external Telegram channels and groups, creating a surface for indirect prompt injection. Ingestion points: Telegram chat history and metadata via
tg-cli.py; Boundary markers: None; Capability inventory: Shell command execution (Bash) and file system access (Read, Glob); Sanitization: None observed for message content. - [COMMAND_EXECUTION]: The skill utilizes the Bash tool to execute local Python scripts via
uv run. It relies on environment variables (CLAUDE_PLUGIN_ROOT) for path resolution, which could be exploited if the environment is misconfigured or manipulated to execute unauthorized code.
Recommendations
- AI detected serious security threats
Audit Metadata