telegram-mini-app-skill

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill examples explicitly load and execute the remote SDK at runtime from https://telegram.org/js/telegram-web-app.js, which is a required external script dependency that runs code in the page (creating window.Telegram.WebApp) and thus constitutes an executed remote dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly documents Telegram's payment APIs: e.g., tg.openInvoice(invoiceUrl, (status) => { status: "paid", "cancelled", "failed", "pending" }); and includes payment-related events like invoiceClosed. These are payment-specific methods (opening invoices / handling payment status), not generic UI or networking calls, so the skill provides direct financial execution capability.