Scan Report
5 /100
telegram-md-uploader
Uploads .md files to Telegram chat using Bot API
Legitimate Telegram markdown file uploader with no security issues - all declared capabilities match implementation.
Safe to install
Skill is safe to use. Consider pinning requests library version for supply chain hygiene.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Unpinned dependency Supply Chain | upload.py:1 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | upload.py:29-31 - os.path.exists() and open(file_path, 'rb') |
| Network | READ | READ | ✓ Aligned | upload.py:22 - requests.post() to api.telegram.org |
| Shell | NONE | NONE | — | No subprocess, os.system, or shell execution found |
| Environment | READ | READ | ✓ Aligned | upload.py:9-10 - Reads TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID, declared in SKIL… |
2 findings
Medium External URL 外部 URL
https://t.me/BotFather SKILL.md:12 Medium External URL 外部 URL
https://api.telegram.org/bot upload.py:22 File Tree
2 files · 2.5 KB · 82 lines Python 1f · 42L
Markdown 1f · 40L
├─
SKILL.md
Markdown
└─
upload.py
Python
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
requests | * | import | No | Version not pinned - consider adding requirements.txt |
Security Positives
✓ All capabilities declared in SKILL.md match actual implementation
✓ No credential exfiltration - tokens only used for Telegram API authentication
✓ File path validated before reading (prevents path traversal)
✓ Only .md files accepted (extension validation)
✓ Clean, readable code with no obfuscation
✓ No shell execution, subprocess, or system command calls
✓ No sensitive file access (no ~/.ssh, ~/.aws, .env reading)
✓ No hidden instructions or prompt injection
✓ No base64 or encoded payloads
✓ Uses standard HTTPS for API communication