telegram-mini-app

This skill is primarily documentation and example code for building Telegram Mini Apps and integrating TON Connect. It does not contain obvious malicious code or backdoors, but several supply-chain and misuse risks are present: reliance on external unpinned packages and arbitrary manifest/asset URLs, and encouraging use of initDataUnsafe without a clear server-side validation step. The most relevant security issues are potential spoofed or forged initData leading to incorrect trust decisions, and the possibility of compromised third-party hosts or unpinned npm packages altering runtime behavior. Recommend: always validate Telegram initData server-side, pin and verify third-party dependencies (or use SRI/subresource integrity), host manifests and assets on a trusted, controlled domain, and treat payment/provider tokens and invoice payloads as sensitive data handled on the server.