registry  /  grok-telegram-bot  /  2.2.2

grok-telegram-bot@2.2.2

Control the official Grok Build CLI from Telegram over the Agent Client Protocol (ACP). Sign in with your xAI account, switch projects, resume sessions, stream responses with diffs, queue follow-ups, manage multiple sign-ins, and run 24/7 as a cross-platf

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 99 file(s), 462 KB of source, external domains: accounts.x.ai, api.telegram.org, auth.x.ai, registry.npmjs.org, www.apple.com

Source & flagged code

2 flagged · loading source
src/service/linux.tsView file
14function unitPath(): string { L15: return join(homedir(), ".config", "systemd", "user", UNIT); L16: } ... L27: const en = runSafe("systemctl", ["--user", "enable", "--now", UNIT]); L28: if (!en.ok) return fail(`systemctl enable failed: ${en.out}`); L29: const linger = runSafe("loginctl", ["enable-linger", userInfo().username]);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/service/linux.tsView on unpkg · L14
src/app/updater.tsView file
14*/ L15: import { spawn } from "node:child_process"; L16: import { get } from "node:https"; L17: import { readFileSync } from "node:fs"; ... L48: export class Updater { L49: private timer: NodeJS.Timeout | undefined; L50: private readonly state: JsonStore<PendingUpdate | null>; ... L150: // instance). On Windows / foreground there is no supervisor, so re-exec. L151: if (process.env.GROK_TG_SUPERVISED === "1") { L152: log.info("exiting for supervisor to relaunch the updated bot"); ... L187: try { L188: return (JSON.parse(readFileSync(join(projectRoot, "package.json"), "utf-8")) as { version?: string }).version ?? "0.0.0";
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/app/updater.tsView on unpkg · L14

Findings

1 High4 Medium5 Low
HighSandbox Evasion Gated Capabilitysrc/app/updater.ts
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/service/linux.ts
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings