AgentReadyHomeAgent Listing

← Claude Code Telegram Bot

Claude Code Telegram Bot — agentic threat model

7.6AIVSS 7.6 · High

The Claude Code Telegram Bot presents a high-risk profile due to its ability to modify codebases, execute git commands, and interact with GitHub CLI directly from a mobile messaging interface. While built-in authentication, directory sandboxing, and audit logging provide essential guardrails, a compromise of the Telegram channel or bot token could lead to unauthorized repository access and remote code execution.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.96Factor sum 6.1/10Threat ×1.05Mitigation ×0.8
Autonomy of Action
0.80
Goal-Driven Planning
0.80
Self-Modification
0.30
Dynamic Tool Use
0.90
Persistent Memory
0.60
Contextual Awareness
0.70
Dynamic Identity
0.50
Multi-Agent Interactions
0.20
Non-Determinism
0.70
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Uses Claude models via Claude Code CLI. Vulnerable to indirect prompt injection if malicious code or pull requests are analyzed, potentially tricking the model into executing unauthorized CLI commands or exfiltrating sensitive data.

L2 · Data Operations✓ mapped

Interacts directly with local codebases and git repositories. Risks include data exfiltration of proprietary source code and poisoning of session persistence files to manipulate future agent actions.

L3 · Agent Frameworks✓ mapped

Orchestrated by Claude Code CLI with tool access to git and GitHub CLI. Insecure tool integration or prompt injection could lead to unauthorized commits, branch deletions, or malicious code pushes.

L4 · Deployment & Infrastructure✓ mapped

Runs as a Telegram bot interface. While directory sandboxing is mentioned, a sandbox escape or host compromise would expose GitHub credentials, SSH keys, and the Telegram bot token.

L5 · Evaluation & Observability✓ mapped

Features audit logging for actions taken through the bot. However, logging may fail to capture subtle malicious code modifications or prompt injection attempts hidden within large diffs.

L6 · Security & Compliance (cross-cutting)✓ mapped

Employs built-in authentication and directory sandboxing. The primary risk is weak authentication (e.g., relying solely on Telegram user IDs, which can be spoofed or bypassed if the bot token is leaked).

L7 · Agent Ecosystem✓ mapped

Integrates with external ecosystems via GitHub CLI, webhooks, and CI/CD events. Malicious webhooks or compromised upstream repositories could trigger automated, destructive actions within the agent's workspace.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).