Back to skill
Skillv1.0.1
ClawScan security
Telegram Mini App Dev · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 8:46 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only skill with copy-paste React hooks/components and documentation that align with its stated purpose of helping build Telegram Mini Apps; it asks for no credentials or installs and contains no obvious exfiltration or unrelated capabilities.
- Guidance
- This skill appears coherent and safe for its stated purpose: reusable React hooks/components and a knowledge base for Telegram Mini Apps. Before using, ensure you do not copy any server-side bot tokens or other secrets into client code — server-side calls that prepare inline messages must hold bot credentials on the server only. If you implement the suggested server-side image generation (resvg-wasm, R2/CDN), secure those services and credentials appropriately. Review any third-party packages (@telegram-apps/sdk, resvg) you add to your project for supply-chain risk, and verify behavior on actual iOS/Android Telegram clients as recommended in the testing checklist.
Review Dimensions
- Purpose & Capability
- okName/description match the included files (hooks, components, knowledge base). The referenced APIs (window.Telegram.WebApp, WebApp.shareMessage, bot.savePreparedInlineMessage, R2/CDN, resvg-wasm) are relevant to building Telegram Mini Apps.
- Instruction Scope
- okSKILL.md and code only instruct reading Telegram WebApp state, handling UI issues, preparing inline messages, and server-side image generation patterns. No instructions ask the agent to read unrelated system files, environment variables, or transmit arbitrary data to unknown endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only), so nothing is downloaded or written to disk. References to libraries (e.g., @resvg/resvg-wasm, @telegram-apps/sdk) are typical dependencies for the documented tasks and would be installed by the user if needed.
- Credentials
- okThe skill declares no required environment variables or credentials. The documentation correctly separates client-side code from server-side needs (e.g., backend calling bot.savePreparedInlineMessage). No unexpected secret access is requested.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request persistent/system-level privileges or modify other skills' configs. All code is client-side utilities meant to be copy/pasted into projects.