Chia WalletConnect - Telegram Verification
ReviewAudited by ClawScan on May 10, 2026.
Overview
The wallet-verification purpose is clear, but the included backend trusts caller-supplied Telegram IDs and exposes verification status in ways that could enable spoofing or leak wallet-user links if deployed as-is.
Install only if you are prepared to harden the backend before production use. Verify Telegram initData server-side, restrict CORS, protect status endpoints, add rate limiting, and tell users that wallet address/signature data is sent to MintGarden for verification.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A deployed server could be called directly by outsiders, causing unexpected verification attempts, service abuse, or records that were not initiated through the intended Telegram flow.
The public verification endpoint accepts caller-controlled data from any origin and invokes the MintGarden verification flow without visible authentication, origin restriction, or rate limiting.
app.use(cors()); ... app.post('/api/verify', async (req, res) => { const { address, message, signature, publicKey, userId, timestamp } = req.body; ... const result = await verifySignature(address, message, signature, publicKey);Restrict CORS to the deployed Telegram Web App domain, verify Telegram initData or bot-originated requests server-side, and add rate limiting before exposing the endpoint.
If another bot or access-control workflow trusts this status, someone could bind a verified wallet to an arbitrary Telegram user ID and weaken gated access or airdrop checks.
The verification record is keyed by a userId supplied in the request body, with no shown proof that this ID belongs to the Telegram user making the request.
const { address, message, signature, publicKey, userId, timestamp } = req.body; ... pendingVerifications.set(userId, { address, verified: true, timestamp: Date.now() });Do not trust userId from client JSON. Bind the wallet signature to server-verified Telegram initData or to the actual Telegram web_app_data sender.
Anyone who can guess or know a Telegram user ID may be able to query whether it is verified and what wallet address is linked.
The status endpoint returns verification data, including the linked wallet address, for a URL-supplied userId while CORS is enabled for all origins.
app.use(cors()); ... app.get('/api/status/:userId', (req, res) => { ... res.json({ success: true, ...verification });Require authentication for status lookups, restrict origins, return only the minimum needed data, and avoid exposing wallet-user mappings publicly.
Users will be asked to connect a wallet and sign a message that proves wallet ownership.
The web app requests wallet address, public key, and message-signing capabilities through WalletConnect; these are expected for wallet ownership verification and do not request private keys or transactions.
methods: [ 'chip0002_getPublicKeys', 'chip0002_signMessage', 'chia_getCurrentAddress' ]
Users should review the exact message in Sage before signing and only use a deployment they trust.
MintGarden can see the wallet verification data, though no private keys are sent.
The verification library sends the wallet address, signed challenge, signature, and public key to MintGarden, which is disclosed and central to the stated purpose.
fetch(`${MINTGARDEN_API}/address/verify_signature`, { ... body: JSON.stringify({ address, message, signature, pubkey: publicKey }) })Disclose this third-party verification flow to users and avoid putting unnecessary personal information into the signed challenge.
The deployed app depends on the CDN serving the expected script.
The browser app loads WalletConnect code from an external CDN at runtime; it is versioned and purpose-aligned, but no subresource integrity or self-hosting is shown.
<script src="https://unpkg.com/@walletconnect/sign-client@2.11.0/dist/index.umd.js"></script>
For production, pin and verify third-party scripts with SRI or self-host reviewed assets.