registry  /  conductor-telegram  /  0.4.3

conductor-telegram@0.4.3

Telegram bot for remote oversight of Conductor workspaces. Built by Belong.net.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
Configured owner sends bot commands after explicit `conductor-telegram start`; persistence and Claude plugin setup require explicit CLI/setup actions.
Impact
Compromise of the configured Telegram owner account or bot token could enable high-privilege agent actions in configured local workspaces.
Mechanism
Authenticated Telegram-to-local AI-agent launcher with optional macOS service and Claude MCP registration.
Rationale
Direct source inspection found no malicious install hook, covert exfiltration, or foreign AI-agent control-surface mutation. Its authenticated remote agent launcher with default permission bypass is a concrete dangerous capability that warrants warning rather than a publish block.
Evidence
package.jsondist/chunk-PXMTG2N3.jsdist/bot/index.jsdist/chunk-ZYKM4257.jsdist/cli/service.jsdist/setup-VCYYS5BU.js~/.conductor-telegram/config.json~/.conductor-telegram/downloads~/.claude/plugins/conductor-telegram-mcp/.claude-plugin/plugin.json~/.claude/plugins/conductor-telegram-mcp/.mcp.json~/Library/LaunchAgents/net.belong.conductor-telegram.plist~/Library/LaunchAgents/net.belong.conductor-telegram.watchdog.plist
Network endpoints1
api.telegram.org

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/chunk-PXMTG2N3.js` defaults agent permission mode to `bypassPermissions`.
  • `dist/bot/index.js` launches local Claude/Codex agents from Telegram-supplied prompts.
  • `dist/bot/index.js` downloads Telegram attachments and stages them into agent workspaces.
  • `dist/chunk-ZYKM4257.js` can register a Claude Code MCP plugin that launches this package's server.
  • `dist/cli/service.js` can install a persistent macOS LaunchAgent, but only through `service install`.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `dist/bot/index.js` rejects Telegram requests unless chat/user matches configured owner values.
  • `dist/setup-VCYYS5BU.js` asks before saving configuration and before MCP-plugin installation.
  • Observed network use is Telegram API communication required for the stated bot function.
  • No credential harvesting, unrelated exfiltration, remote payload loading, or obfuscated execution was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 317 KB of source, external domains: api.telegram.org, belong.net, conductor.build, nodejs.org, www.apple.com

Source & flagged code

1 flagged · loading source
dist/cli/service.jsView file
1// src/cli/service.ts L2: import { spawnSync } from "child_process"; L3: import fs from "fs"; ... L8: var WATCHDOG_LABEL = "net.belong.conductor-telegram.watchdog"; L9: var STATE_DIR = path.join(os.homedir(), ".conductor-telegram"); L10: var LAUNCH_AGENTS_DIR = path.join(os.homedir(), "Library", "LaunchAgents"); ... L28: } L29: function launchctl(args) { L30: const result = spawnSync("launchctl", args, { encoding: "utf8" }); ... L32: code: result.status ?? -1, L33: stdout: result.stdout ?? "", L34: stderr: result.stderr ?? ""
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/service.jsView on unpkg · L1

Findings

3 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/service.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings