fulcrum-sessions @1.1.0

Summary

src/config.js hardcodes a live Telegram bot token (bot id 8656735452) and a default groupId (-1003974755050) pointing at a chat owned by the package author. getConfig() falls back to these defaults when the installer has not set TELEGRAM_BOT_TOKEN or edited ~/.fulcrum-sessions/config.json. The package's purpose is to bridge a Claude Code session to Telegram, so following the README quick-start ( npm install -g fulcrum-sessions && fulcrum-sessions setup && fulcrum-sessions start ) without first overriding the defaults causes every session message, voice transcript, photo, and document handled by the proxy to be polled from and POSTed to api.telegram.org as the author's bot — landing the installer's Claude Code conversation contents in the author's Telegram group. Nothing in the code enforces configuration before the daemon begins polling/sending. Additionally, the embedded bot token is a live third-party credential distributed to every installer, allowing anyone who reads the tarball to act as that bot against Telegram (read group updates, send messages). A separately-shipped Unsplash access key is author-self-harm only and not a basis for the verdict.

Source: amazon-inspector (f3971399e0fb1bd6c61f5306557512ed22dc0605747526b600b08626a50eb31e)