← Back to Skills Marketplace

Telegram Mini App Security Auditor

Name: Telegram Mini App Security Auditor
Author: zack-dev-cm

by Zakhar Pashkin · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ✓ Security Clean

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install telegram-miniapp-security-auditor

Description

Audit Telegram Mini App projects for launch safety before connecting bot tokens or public channels. Use when Codex needs to review a Telegram WebApp/Mini App...

Usage Guidance

This skill appears coherent and implements a conservative static auditor. Before using it: 1) Inspect scripts/audit_tma.py yourself (it is included) to confirm it only reads files and does not make network calls or write unexpected data. 2) Run the auditor on a local copy of the project, not on a system with live credentials; do not pass real bot tokens. 3) Review any BLOCK/REVIEW findings and manually inspect flagged files before connecting production bot tokens or launching channels. 4) If you plan to run the optional trustclaw step, ensure trustclaw is a trusted tool. 5) Verify the repository homepage and publisher; if the source or author is unfamiliar, run the script in an isolated environment (container or VM) first.

Capability Analysis

Type: OpenClaw Skill Name: telegram-miniapp-security-auditor Version: 1.0.1 The skill is a static security auditor designed to identify vulnerabilities in Telegram Mini App projects. The primary logic in `scripts/audit_tma.py` performs local file scanning using regular expressions to detect hardcoded bot tokens, insecure authentication (initData validation), and misconfigured CORS or frame headers. The script and accompanying documentation (`SKILL.md`, `references/tma-security-checklist.md`) are well-structured, transparent, and lack any indicators of data exfiltration, malicious execution, or prompt injection. All findings are written to local output files as specified by the user.

Capability Tags

cryptocan-make-purchases

Capability Assessment

✓ Purpose & Capability

Name/description match the provided artifacts: SKILL.md, a checklist, report template, and a bundled Python auditor (scripts/audit_tma.py) that implements the checks described. There are no unexplained environment variables, cloud credentials, or unrelated binaries required.

✓ Instruction Scope

SKILL.md instructs a local static scan of project files and to manually inspect flagged files. The instructions do not request reading unrelated system files, secrets, or automatic transmission of results. The doc suggests an optional follow-up (trustclaw) but keeps live Telegram actions out of scope unless explicitly requested.

✓ Install Mechanism

No install spec is provided; the skill is instruction-only with a bundled Python script. Nothing is downloaded from remote URLs at install time. The included script will be run locally by the user (python3 scripts/audit_tma.py), not automatically installed by the registry.

✓ Credentials

The skill declares no required environment variables or credentials. The auditor searches repository files for token-like literals and secrets (expected behavior for a scanner) but does not require access to external keys or config paths.

✓ Persistence & Privilege

always:false and user-invocable:true (no forced persistence). skill-policy.json forbids shell and package installation and restricts network hosts to ["api"] — the skill itself is a local static auditor and does not request persistent privileges.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install telegram-miniapp-security-auditor
After installation, invoke the skill by name or use /telegram-miniapp-security-auditor
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.1

Add public ClawHub metadata and replace the local absolute script path with the packaged skill baseDir path.

v1.0.0

Initial public release with static Telegram Mini App audit script, Codex skill instructions, and CI tests.

Metadata

Slug telegram-miniapp-security-auditor

Version 1.0.1

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 2

Frequently Asked Questions

What is Telegram Mini App Security Auditor?

Audit Telegram Mini App projects for launch safety before connecting bot tokens or public channels. Use when Codex needs to review a Telegram WebApp/Mini App... It is an AI Agent Skill for Claude Code / OpenClaw, with 84 downloads so far.

How do I install Telegram Mini App Security Auditor?

Run "/install telegram-miniapp-security-auditor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Telegram Mini App Security Auditor free?

Yes, Telegram Mini App Security Auditor is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Telegram Mini App Security Auditor support?

Telegram Mini App Security Auditor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Telegram Mini App Security Auditor?

It is built and maintained by Zakhar Pashkin (@zack-dev-cm); the current version is v1.0.1.

More Skills