Critical-risk tools in MCP-Telegram
20 of the 181 tools in MCP-Telegram are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
telegram-change-stars-subscriptionFinancialCancel or restore a Telegram Stars subscription (payments.ChangeStarsSubscription). Pass canceled=true to cancel an active subscription before its next renewal, or false to rest...
-
telegram-clear-draftsDestructiveDelete saved message drafts. Pass chatId to clear the draft for a single chat. Without chatId, clears drafts in ALL chats — requires confirmAllChats: true
-
telegram-clear-recent-emoji-statusesDestructiveClear your recently-used emoji status list (the
-
telegram-close-pollDestructiveClose a poll permanently. This is a one-way operation — closed polls cannot be reopened.
-
telegram-delete-business-chat-linkDestructiveDelete a Telegram Business chat link by its slug. Requires Telegram Business subscription.
-
telegram-delete-fact-checkDestructiveRemove a fact-check annotation. Requires fact-checker privileges.
-
telegram-delete-folderDestructiveDelete a Telegram chat folder by its ID. Chats inside the folder are not deleted — they remain in All Chats. System folders (0 = All Chats, 1 = Archive) cannot be deleted.
-
telegram-delete-messageDestructiveDelete messages in a Telegram chat
-
telegram-delete-profile-photoDestructiveDelete one or more profile photos by their photo IDs. Use telegram-get-profile-photo to obtain the current photo ID. Returns which IDs were deleted and which were not found.
-
telegram-delete-scheduledDestructiveDelete scheduled messages in a Telegram chat
-
telegram-delete-storiesDestructiveDelete one or more of your own stories. This action is irreversible and requires confirm:true.
-
telegram-delete-topicDestructiveDelete a forum topic and all its message history
-
telegram-revoke-invite-linkDestructiveRevoke an invite link for a group or channel
-
telegram-logoutDestructiveLog out from Telegram completely. Revokes the session on Telegram servers (removes it from Settings → Devices), deletes the local session file, and disconnects. After this you m...
-
telegram-ban-userDestructiveBan a user from a supergroup or channel (permanent until unbanned)
-
telegram-kick-userDestructiveKick a user from a Telegram group (removes without permanent ban)
-
telegram-leave-groupDestructiveLeave a Telegram group or channel
-
telegram-convert-star-giftFinancialConvert a received Star Gift into Stars (non-reversible). The gift is removed from your profile and its conversion value is added to your Stars balance. Pass msgId for personal ...
-
telegram-send-paid-reactionFinancialSend a paid reaction (★ Stars) on a channel post. Stars are spent from your balance. Optional private flag controls leaderboard visibility.
-
telegram-terminate-sessionDestructiveTerminate a specific Telegram session by its hash, or explicitly terminate all other sessions by setting terminateAllOther=true
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.