telegram-mini-app
Warn
Audited by Snyk on May 20, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The example HTML includes a runtime which will be fetched and execute remote JavaScript (providing core Telegram.WebApp functionality) and the skill examples rely on it, so this external URL is a required runtime dependency that executes remote code.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly includes crypto and payments functionality. It contains a "TON Connect Integration" section with code that builds and sends TON blockchain transactions (tonConnectUI.sendTransaction with address and amount), which is a direct wallet/transaction API. It also shows Telegram payment/invoice usage (replyWithInvoice with provider_token, currency, prices) for in-app purchases/Stars. These are specific tools/APIs intended to move money/crypto, not generic browser or HTTP examples.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata