The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill hardcodes a Telegram API_HASH ('4b812166a74fbd4eaadf5c4c1c855926') and API_ID (18256514) within code blocks. These are sensitive credentials that Telegram explicitly instructs developers to keep secret to prevent unauthorized application impersonation.
[CREDENTIALS_UNSAFE]: The skill instructions reference a specific Telegram session file location at '~/.local/share/telethon/eon'. These files contain the sensitive authentication tokens required to access a user's personal Telegram account and should be treated as high-value targets for exfiltration.
[COMMAND_EXECUTION]: The skill relies on 'uv run' to execute dynamically generated Python scripts and shell commands. This execution pattern presents a risk of command injection or arbitrary code execution if the data being processed is not properly sanitized.
[PROMPT_INJECTION]: The 'Self-Evolving Skill' section contains a directive instructing the agent to 'fix this file immediately' (SKILL.md) if instructions appear wrong. This self-modification capability is a persistence risk, as it allows for the storage of malicious instructions that will survive across sessions.

send-message