Claude Code Telegram Bot — agentic threat model
The Claude Code Telegram Bot presents a high-risk profile due to its ability to modify codebases, execute git commands, and interact with GitHub CLI directly from a mobile messaging interface. While built-in authentication, directory sandboxing, and audit logging provide essential guardrails, a compromise of the Telegram channel or bot token could lead to unauthorized repository access and remote code execution.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.30 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.60 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Uses Claude models via Claude Code CLI. Vulnerable to indirect prompt injection if malicious code or pull requests are analyzed, potentially tricking the model into executing unauthorized CLI commands or exfiltrating sensitive data.
Interacts directly with local codebases and git repositories. Risks include data exfiltration of proprietary source code and poisoning of session persistence files to manipulate future agent actions.
Orchestrated by Claude Code CLI with tool access to git and GitHub CLI. Insecure tool integration or prompt injection could lead to unauthorized commits, branch deletions, or malicious code pushes.
Runs as a Telegram bot interface. While directory sandboxing is mentioned, a sandbox escape or host compromise would expose GitHub credentials, SSH keys, and the Telegram bot token.
Features audit logging for actions taken through the bot. However, logging may fail to capture subtle malicious code modifications or prompt injection attempts hidden within large diffs.
Employs built-in authentication and directory sandboxing. The primary risk is weak authentication (e.g., relying solely on Telegram user IDs, which can be spoofed or bypassed if the bot token is leaked).
Integrates with external ecosystems via GitHub CLI, webhooks, and CI/CD events. Malicious webhooks or compromised upstream repositories could trigger automated, destructive actions within the agent's workspace.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).