telegram-miniapp-security-auditor

Audit Telegram Mini App projects for launch safety before connecting bot tokens or public channels. Use when Codex needs to review a Telegram WebApp/Mini App, TMA frontend, FastAPI/Node backend, BotFather launch runbook, Colab/ngrok deployment, or OpenClaw/Codex skill that handles Telegram initData, bot tokens, admin endpoints, CORS, PII, request forms, or public channel launch readiness.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "telegram-miniapp-security-auditor" with this command: npx skills add zack-dev-cm/telegram-miniapp-security-auditor

Telegram Mini App Security Auditor

Audit Telegram Mini Apps with a static, evidence-first workflow. Prefer the bundled script for repeatability, then inspect the flagged files before giving launch advice.

Quick Start

Run the static auditor from the skill folder:

python3 {baseDir}/scripts/audit_tma.py \
  /path/to/project \
  --out-dir /tmp/tma-audit

Expected outputs:

  • tma_security_audit.json
  • tma_security_audit.md

Decision meanings:

  • PASS: no blocking or review-triggering evidence found by this static pass.
  • REVIEW: launch only after a human verifies the listed risks.
  • BLOCK: do not launch or connect production bot tokens until fixed.

Workflow

  1. Run scripts/audit_tma.py against the project root or Mini App subdirectory.
  2. Read the Markdown report and inspect every BLOCK and REVIEW file reference.
  3. If the app is not detected as a Telegram Mini App, confirm whether the user passed the correct path.
  4. For production launch, require all of these:
    • server-side Telegram initData validation,
    • no committed bot tokens or token-like literals,
    • admin endpoints protected by server-side authorization,
    • no broad CORS in production,
    • request forms reject or avoid contact details, handles, secrets, and payment terms when governance requires it,
    • local/browser QA evidence before BotFather or channel changes.
  5. If packaging as a ClawHub/Codex skill, run TrustClaw after this audit:
trustclaw scan /path/to/skill --format markdown

Finding Triage

Treat script output as static evidence, not a final proof of safety.

  • hardcoded-telegram-token: always BLOCK; rotate the token if it was committed.
  • initdata-no-server-validation: BLOCK; Mini App users must not be trusted from client-side data alone.
  • insecure-initdata-bypass: usually REVIEW; acceptable only for clearly documented local dev commands and disabled-by-default server behavior.
  • cors-wildcard: REVIEW, or BLOCK if credentials are also enabled.
  • admin-endpoint-without-guard: BLOCK.
  • unsafe-innerhtml: REVIEW; verify escaping or sanitization.

For detailed rules and manual checks, read references/tma-security-checklist.md only when needed.

Output Contract

When answering a user, lead with:

  1. decision,
  2. highest-severity findings with file paths,
  3. launch recommendation,
  4. artifacts produced,
  5. any limitations of the audit.

Keep live Telegram/BotFather/channel changes out of scope unless the user explicitly asks to launch and the project has passed audit and QA.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Keep My Claw — OpenClaw Backup

Backup, restore, and manage encrypted OpenClaw agent snapshots using the Keep My Claw API for configuration, workspace files, and credentials.

Registry SourceRecently Updated
1K0Profile unavailable
Security

SecOpsAI for OpenClaw

Conversational SecOps for OpenClaw audit logs. Run the live detection pipeline, inspect findings, triage incidents, and get mitigation guidance — all from chat.

Registry SourceRecently Updated
2611Profile unavailable
Security

Claude Agent

作为项目经理操作 Claude Code 完全体。包含:任务执行(提示词设计→执行→监控→质量检查→迭代→汇报)。通过 tmux 操作交互式 CLI,通过 hooks + pane monitor 实现异步唤醒。NOT for: 简单单行编辑(用 edit)、读文件(用 read)、快速问答(直接回答)。

Registry SourceRecently Updated
2190Profile unavailable
Security

OpenClaw Key Management

Secure credential storage system for OpenClaw that encrypts and protects API keys, tokens, and sensitive credentials from memory file compromise.

Registry SourceRecently Updated
2710Profile unavailable