You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+27-3Lines changed: 27 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -101,12 +101,19 @@ This MCP server exposes a huge suite of Telegram tools. **Every major Telegram/T
101
101
### User & Profile
102
102
-**get_me()**: Get your user info
103
103
-**update_profile(first_name, last_name, about)**: Update your profile
104
+
-**set_profile_photo(file_path)**: Set a profile photo from an allowed root path
104
105
-**delete_profile_photo()**: Remove your profile photo
105
106
-**get_user_photos(user_id, limit)**: Get a user's profile photos
106
107
-**get_user_status(user_id)**: Get a user's online status
107
108
108
109
### Media
109
110
-**get_media_info(chat_id, message_id)**: Get info about media in a message
111
+
-**send_file(chat_id, file_path, caption)**: Send a local file from allowed roots
112
+
-**download_media(chat_id, message_id, file_path)**: Save message media under allowed roots
113
+
-**upload_file(file_path)**: Upload a local file and return upload metadata
114
+
-**send_voice(chat_id, file_path)**: Send `.ogg/.opus` voice note from allowed roots
115
+
-**send_sticker(chat_id, file_path)**: Send `.webp` sticker from allowed roots
116
+
-**edit_chat_photo(chat_id, file_path)**: Update chat photo from allowed roots
110
117
111
118
### Search & Discovery
112
119
-**search_public_chats(query)**: Search public chats/channels/bots
@@ -142,11 +149,28 @@ To improve robustness, all functions accepting `chat_id` or `user_id` parameters
142
149
143
150
The server will automatically validate the input and convert it to the correct format before making a request to Telegram. If the input is invalid, a clear error message will be returned.
144
151
145
-
## Removed Functionality
152
+
## File-path Tools Security Model
146
153
147
-
Please note that tools requiring direct file path access on the server (`send_file`, `download_media`, `set_profile_photo`, `edit_chat_photo`, `send_voice`, `send_sticker`, `upload_file`) have been removed from `main.py`. This is due to limitations in the current MCP environment regarding handling file attachments and local file system paths.
154
+
File-path tools are available, but **disabled by default** until allowed roots are configured.
148
155
149
-
Additionally, GIF-related tools (`get_gif_search`, `get_saved_gifs`, `send_gif`) have been removed due to ongoing issues with reliability in the Telethon library or Telegram API interactions.
Security semantics (aligned with MCP filesystem server):
160
+
- Server-side allowlist via CLI positional arguments (fallback when Roots API is unsupported).
161
+
- Client-provided MCP Roots replace the server allowlist when available.
162
+
- If the client returns an empty Roots list, file-path tools are disabled (deny-all).
163
+
- All paths are resolved via realpath and must stay inside an allowed root.
164
+
- Traversal/glob-like patterns are rejected (`..`, `*`, `?`, `~`, etc.).
165
+
- Relative paths resolve against the first allowed root.
166
+
- Write tools default to `<first_root>/downloads/` when `file_path` is omitted.
167
+
168
+
Example server launch with allowlisted roots:
169
+
```bash
170
+
uv --directory /full/path/to/telegram-mcp run main.py /data/telegram /tmp/telegram-mcp
171
+
```
172
+
173
+
GIF tools are currently limited: `get_gif_search` and `send_gif` are available, while `get_saved_gifs` is not implemented due to reliability limits in Telethon/Telegram API interactions.
0 commit comments