Telegram Mini App Security Auditor — Telegram Mini 应用 Security 审计or

v1.0.3

审计 Telegram Mini 应用 projects for launch safety before connecting 机器人令牌s or public channels. Use when Codex needs to review a Telegram 网页应用/Mini 应用, TMA frontend, FastAPI/Node backend, 机器人Father launch 运行book, Colab/ngrok 部署ment, or OpenClaw/Codex 技能 that handles Telegram initData, 机器人令牌s, admin 端点s, CORS, PII, 请求 forms, or public channel launch readiness.

0· 287·0 当前·0 累计

by @zack-dev-cm (Zakhar Pashkin)·MIT-0

开发工具代码生成数据与API 数据库 API开发

下载技能包

License

MIT-0

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

安装命令

点击复制

官方npx clawhub@latest install telegram-miniapp-security-auditor

镜像加速npx clawhub@latest install telegram-miniapp-security-auditor --registry https://cn.longxiaskill.com 镜像可用

需要定制？告诉我你的需求 →

技能文档

Telegram Mini 应用 Security 审计or

审计 Telegram Mini 应用s with a static, evidence-first 工作流. Prefer the bundled script for repeatability, then inspect the flagged files before giving launch advice.

Quick 启动

运行 the static 审计or from the 技能 folder:

python3 {baseDir}/scripts/审计_tma.py \ /path/to/project \ --out-dir /tmp/tma-审计

Expected 输出s:

tma_security_审计.json tma_security_审计.md

Decision meanings:

PASS: no blocking or review-triggering evidence found by this static pass. REVIEW: launch only after a human verifies the 列出ed risks. BLOCK: do not launch or connect production 机器人令牌s until fixed. 工作流运行 scripts/审计_tma.py agAInst the project root or Mini 应用 subdirectory. Read the Markdown 报告 and inspect every BLOCK and REVIEW file reference. If the 应用 is not 检测ed as a Telegram Mini 应用, confirm whether the user passed the correct path. For production launch, require all of these: server-side Telegram initData 验证, no committed 机器人令牌s or 令牌-like literals, admin 端点s 保护ed by server-side authorization, no broad CORS in production, 请求 forms reject or avoid contact detAIls, handles, secrets, and payment terms when 治理 requires it, local/browser QA evidence before 机器人Father or channel changes. If packaging as a ClawHub/Codex 技能, 运行 TrustClaw after this 审计: trustclaw 扫描 /path/to/技能 --格式化 markdown

Finding Triage

Treat script 输出 as static evidence, not a final safety determination.

hardcoded-telegram-令牌: always BLOCK; rotate the 令牌 if it was committed. initdata-no-server-验证: BLOCK; Mini 应用 users must not be trusted from 命令行工具ent-side data alone. in安全-initdata-bypass: usually REVIEW; acceptable only for clearly documented local dev commands and disabled-by-default server behavior. cors-wildcard: REVIEW, or BLOCK if 凭证s are also enabled. admin-端点-without-防护: BLOCK. unsafe-innerhtml: REVIEW; 验证 escAPIng or sanitization.

For detAIled rules and manual 检查s, read references/tma-security-检查列出.md only when needed.

输出 Contract

When answering a user, lead with:

decision, highest-severity findings with file paths, launch recommendation, artifacts produced, any limitations of the 审计.

Keep live Telegram/机器人Father/channel changes out of scope unless the user explicitly asks to launch and the project has passed 审计 and QA.

License

运行时依赖

安装命令

技能文档

相关技能推荐