telegram-inbox: why it is not safe to use
Reads any Telegram chat into agent context and can send from your full account, so a prompt injection has a plausible path to act; use a scoped bot instead.
What we found
telegram-inbox connects to your personal Telegram account, not a scoped bot, using your API ID, hash, phone, and optional 2FA, and it saves a session file that grants full account access. Once connected, the agent can read messages from any chat, including text written by strangers. That untrusted message content enters the agent's context, where a hidden instruction could try to steer it. Because the same server can also send messages from your account, a successful injection has a plausible path to act, for example composing and sending a message on your behalf. All traffic stays within the official Telegram API, and no third-party endpoints were observed. On the positive side, the code is open-source Go, readable, with no hardcoded secrets, no shell or filesystem commands, and no privilege escalation.
What to do instead
If you want Telegram access, prefer a scoped bot token limited to specific chats over full account credentials. Keep this skill read-only where possible, avoid granting send permissions, and do not point it at chats containing untrusted senders. Review actions before they run.
Source: https://github.com/chaindead/telegram-mcp
We report what our security review found at the time we checked, with the goal of keeping people safe. Projects change; if a maintainer has since fixed this, we are glad to recheck it. Email hello@agentpod.com.