Telegram Mini App Security Auditor

Security checks across malware telemetry and agentic risk

Overview

This skill is a local Telegram Mini App security auditor whose file scanning and report writing are disclosed and aligned with its purpose.

Run this only against the intended project or subdirectory, choose a controlled output directory, and handle the generated reports carefully because they may include snippets of secrets the scanner found. Review the optional TrustClaw command separately before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill instructs the user to run a local Python auditing script that reads arbitrary project files, writes reports to disk, and invokes an external network-capable tool (`trustclaw`). Those capabilities are materially present in the skill behavior, but no permissions are declared, which creates a transparency and policy-enforcement gap: users and hosting platforms may underestimate what the skill can access or modify.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal