telegram-mini-app

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill is documentation and examples for building Telegram Mini Apps and integrating TON Connect. It contains expected sources and sinks for this domain and no evidence of hidden malware or obfuscation. The primary security concern is the example use of initDataUnsafe and other convenience snippets (console logging, embedding user.id into shared links) without showing robust validation or privacy safeguards; copying examples as-is could lead to info leakage or trusting unvalidated init payloads. Overall the content is coherent with its stated purpose and not malicious, but developers must validate initData, avoid logging PII, and ensure manifest/script URLs and payment tokens are securely managed. LLM verification: No evidence of malicious code or deliberate data exfiltration in the provided documentation and examples. The primary risks are: (1) insecure example usage of initDataUnsafe (risk of spoofed user data if developers do not validate initData), and (2) unpinned third-party dependency shown in install examples (minor supply-chain risk if copied without review). Recommend updating examples to demonstrate validating initData, pinning package versions, and warning about not committing payment/provider