ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TG Canvas Mini App

v0.2.6

Telegram Mini App Canvas with terminal and optional Control UI proxy. Renders agent-generated content (HTML, markdown, A2UI) in a Telegram Mini App; push wit...

0· 850·3 current·3 all-time
byWei Dai@clvv
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description align with required binaries (node, cloudflared) and the code (HTTP/WebSocket server, miniapp, node-pty). Required env vars (BOT_TOKEN, ALLOWED_USER_IDS, JWT_SECRET, MINIAPP_URL, PUSH_TOKEN) are all justifiable: BOT_TOKEN and ALLOWED_USER_IDS for Telegram auth, JWT_SECRET for session JWTs, PUSH_TOKEN to protect loopback-only push endpoints when a tunnel is used, and MINIAPP_URL for bot setup. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md and README clearly document the server endpoints, the JWT-auth flow, and that the terminal opens a server-side PTY. The provided scripts (setup-bot.js, start.sh) read a local .env when used for setup, but server.js itself does not auto-load local credential files; this matches the SKILL.md FAQ. The instructions appropriately call out cloudflared loopback behavior and require PUSH_TOKEN. Because the terminal spawns a shell, the runtime instructions grant a high-privilege capability that must be intentionally enabled and tightly access-controlled (ALLOWED_USER_IDS).
Install Mechanism
There is no remote download or extract in the registry metadata; package.json lists minimal Node deps (node-pty, ws). SKILL.md recommends npm install which matches package.json. Requiring cloudflared as a binary is appropriate for the documented Cloudflare tunnel usage. No suspicious remote install URLs or archives are present.
Credentials
Requested environment variables are proportionate to the stated functionality. PUSH_TOKEN is explicitly required and enforced at startup (the server exits if missing) — this is appropriate given the cloudflared loopback bypass. MINIAPP_URL is primarily needed for bot setup (setup-bot.js), which explains its inclusion. The optional OPENCLAW_GATEWAY_TOKEN is only required if the proxy is enabled; that is explained in docs. No unrelated secrets or excessive env requirements were found.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. However, the in-scope capability to spawn a server-side PTY (bash) is a real and significant privilege — anyone granted access via Telegram initData (and who is in ALLOWED_USER_IDS) can execute shell commands as the process user. This is expected behavior for the feature but poses operational risk if ALLOWED_USER_IDS, PUSH_TOKEN, BOT_TOKEN, or JWT_SECRET are mismanaged.
Scan Findings in Context
[pre-scan-injection] unexpected: No pre-scan injection signals were detected. The absence of regex findings is not proof of safety but here matches the codebase which is readable and not obfuscated.
Assessment
This skill appears to do exactly what it says, but it exposes high privileges that you must manage carefully. Before installing: - Treat the terminal feature as if you were installing remote shell access: only put trusted Telegram user IDs into ALLOWED_USER_IDS. If you don't need the terminal, do not enable it (note: the UI feature is compiled in, but access still requires Telegram auth). Consider disabling or removing the PTY code if you want to eliminate this risk entirely. - Always set a strong PUSH_TOKEN and keep BOT_TOKEN and JWT_SECRET secret. The server refuses to start without PUSH_TOKEN; verify it is present and random (eg. openssl rand -hex 32). - Understand cloudflared behavior: tunnel traffic appears as localhost, so IP loopback checks are ineffective. The code author is aware and enforces PUSH_TOKEN, but misconfiguration could expose /push or /clear. Test endpoints from outside before trusting them. - If you enable the OpenClaw proxy (ENABLE_OPENCLAW_PROXY=true) be careful with OPENCLAW_GATEWAY_TOKEN; only set it if necessary and ensure the proxied origin is added to the gateway's allowedOrigins. - Review server.js and the startup scripts yourself (they're included) to confirm they match your operational expectations (especially JWT lifetime, token verification, and that the server does not read unexpected local credential files in your deployment setup). - Run the service in an isolated environment (or behind an authenticated reverse proxy / domain + TLS) for initial testing, and routinely update node-pty/ws dependencies for security patches. If you want, I can point to the exact lines where the PTY is spawned and where PUSH_TOKEN is enforced so you can audit them directly.

Like a lobster shell, security has layers — review code before you run it.

latestvk974ftysb0rcnjkwftbm73ajz581wa8g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
Binsnode, cloudflared
EnvBOT_TOKEN, ALLOWED_USER_IDS, JWT_SECRET, MINIAPP_URL, PUSH_TOKEN

Comments