Telegram Bot Builder
Provides comprehensive guidance for building production-ready Telegram bots using Node.js and Python, covering authentication, messaging, and deployment.
Install this skill
Security score
The Telegram Bot Builder skill was audited on Jun 6, 2026 and we found 23 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Webhook reference - potential data exfiltration
| 3 | description: This skill should be used when the user asks to "create a Telegram bot", "build a Telegram chatbot", "set up a Telegram webhook", "add inline keyboards to a bot", "handle Telegram callbac |
Webhook reference - potential data exfiltration
| 8 | Comprehensive guidance for building Telegram bots using the Bot API (v9.4). Covers both Node.js and Python ecosystems with production-ready patterns for authentication, messaging, keyboards, media han |
Webhook reference - potential data exfiltration
| 15 | - Setting up webhooks or long polling for bot updates |
Webhook reference - potential data exfiltration
| 38 | ### Receiving Updates: Polling vs Webhook |
Webhook reference - potential data exfiltration
| 53 | **Webhook** (`setWebhook`) - Better for production, lower latency, requires HTTPS (ports 443, 80, 88, or 8443): |
Webhook reference - potential data exfiltration
| 56 | bot.setWebHook('https://yourdomain.com/webhook', { secret_token: SECRET }); |
Webhook reference - potential data exfiltration
| 59 | Choose polling for development and small bots. Choose webhooks for production deployments handling high traffic. |
Webhook reference - potential data exfiltration
| 189 | | Bot Config | `setMyCommands`, `setMyDescription`, `setWebhook` | |
Webhook reference - potential data exfiltration
| 195 | - **Serverless**: Webhook handler as Vercel/AWS Lambda function |
Webhook reference - potential data exfiltration
| 203 | - Validate `X-Telegram-Bot-Api-Secret-Token` on webhook endpoints |
Webhook reference - potential data exfiltration
| 207 | - Use HTTPS for all webhook endpoints |
Webhook reference - potential data exfiltration
| 216 | - **[`reference/patterns_and_examples.md`](./reference/patterns_and_examples.md)** - Production-ready implementation patterns for Node.js and Python including: inline keyboards, webhooks, media handli |
Access to .env file
| 32 | # .env file |
Access to .env file
| 44 | const bot = new TelegramBot(process.env.BOT_TOKEN, { polling: true }); |
Access to .env file
| 158 | echo "BOT_TOKEN=your_token_here" > .env |
Access to .env file
| 166 | echo "BOT_TOKEN=your_token_here" > .env |
External URL reference
| 27 | Every bot has a unique token obtained from [@BotFather](https://t.me/BotFather). Token format: `123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11`. |
External URL reference
| 29 | All API calls go to: `https://api.telegram.org/bot<TOKEN>/METHOD_NAME` |
External URL reference
| 56 | bot.setWebHook('https://yourdomain.com/webhook', { secret_token: SECRET }); |
External URL reference
| 79 | [{ text: 'Visit Site', url: 'https://example.com' }] |
External URL reference
| 103 | bot.sendPhoto(chatId, 'https://example.com/photo.jpg', { caption: 'A photo' }); |
External URL reference
| 110 | { type: 'photo', media: 'https://example.com/1.jpg', caption: 'First' }, |
External URL reference
| 111 | { type: 'photo', media: 'https://example.com/2.jpg' } |