Telegram MCP

MCP server for Telegram messaging via the Telegram client API (MTProto)

Overall Score57/100

Score Breakdown

Authentication & Identity1 finding↓0/25

Tool Schema Quality2 findings↓19/25

Permission Granularity1 finding↓17/20

LLM Safety2 findings↓10/15

Data Exposure1 finding↓8/10

Maintenance & Trust1 finding↓3/5

Server Info

Package: telegram-mcp
Registry: go
Repository: chaindead/telegram-mcp
Maintainer: Community
Category: Communication
Tags: messagingtelegramchat
Last Scanned: 7 Apr 2026

Findings

8 issues

Authentication & Identity

HIGHNo per-request auth - requires instance-per-user

Stdio-only transport via mcp-golang/transport/stdio. Auth uses Telegram MTProto client API credentials (app ID + API hash) via env vars or CLI flags. A separate 'auth' subcommand handles interactive phone-based authentication to create a session file. Session file stores the authenticated state. No ... For multi-tenant deployment, the platform must spawn a separate server instance per user.

Remediation

Add HTTP/SSE transport to accept per-request Authorization headers, or implement the MCP OAuth spec.

Tool Schema Quality

HIGHRequired fields missing on 1 write operations

Write tools without required field declarations: tg_read.

Remediation

Add required arrays to all write/delete tool schemas.

MEDIUMOnly 0 of 5 schemas have parameter constraints

Most schemas lack maxLength, enum, or pattern constraints on string parameters.

Remediation

Add constraints to string parameters, especially on write operations.

Permission Granularity

LOWTool descriptions lack resource scope

Descriptions don't specify what data types or resources they access.

Remediation

Add resource type statements to descriptions.

LLM Safety

MEDIUM3 tool descriptions are too vague

Short or generic descriptions make tool selection unreliable.

Remediation

Expand descriptions with specific actions, data types, and side effects.

MEDIUMOverlapping tool descriptions may cause wrong selection

Similar descriptions between tools could cause the LLM to pick the wrong one.

Remediation

Differentiate descriptions with unique use cases.

Data Exposure

LOWNo field selection on responses

Responses return full records rather than projected fields.

Remediation

Implement field selection to return only relevant fields.

Maintenance & Trust

LOWCommunity-maintained by chaindead

No official vendor backing.

Remediation

Seek vendor verification.

Tools

5 total

Name	Description	Risk
tg_me	Get current telegram account info	read
tg_dialogs	Get list of telegram dialogs (chats, channels, users)	read
tg_dialog	Get messages of telegram dialog	read
tg_send	Send draft message to dialog	write
tg_read	Mark dialog messages as read	write

Deploy Telegram MCP securely

CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.

Deploy on CompleteFlow