add-telegram
Integrates Telegram as a communication channel, allowing for notifications and control actions within the Deus platform.
Install this skill
Security score
The add-telegram skill was audited on Jun 1, 2026 and we found 15 security issues across 4 threat categories, including 2 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 118 | ```bash |
Template literal with variable interpolation in command context
| 124 | ```bash |
Template literal with variable interpolation in command context
| 185 | - Verify token: `curl -s "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/getMe"` |
Template literal with variable interpolation in command context
| 216 | ```bash |
Curl to non-GitHub URL
| 185 | - Verify token: `curl -s "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/getMe"` |
Curl to non-GitHub URL
| 217 | curl -s "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/getMe" | grep -q '"ok":true' && echo "Token valid" || echo "Token invalid" |
Access to .env file
| 16 | Check if Telegram is already configured. If `TELEGRAM_BOT_TOKEN` exists in `.env`, skip to Phase 4 (Registration) or Phase 5 (Verify). |
Access to .env file
| 61 | Add to `.env`: |
Access to .env file
| 72 | mkdir -p data/env && cp .env data/env/env |
Access to .env file
| 75 | The container reads environment from `data/env/env`, not `.env` directly. |
Access to .env file
| 171 | 1. `TELEGRAM_BOT_TOKEN` is set in `.env` AND synced to `data/env/env` |
Access to .env file
| 220 | 3. Update the token in `.env` and sync: `mkdir -p data/env && cp .env data/env/env` |
Access to .env file
| 233 | 2. Remove `TELEGRAM_BOT_TOKEN` from `.env` |
External URL reference
| 185 | - Verify token: `curl -s "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/getMe"` |
External URL reference
| 217 | curl -s "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/getMe" | grep -q '"ok":true' && echo "Token valid" || echo "Token invalid" |