mini-apps
Enables the creation of standalone React mini-apps for various functionalities like forms and dashboards using the Mini-Apps toolchain.
Install this skill
Security score
The mini-apps skill was audited on Mar 3, 2026 and we found 49 security issues across 4 threat categories, including 8 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Direct command execution function call
| 809 | this.db.exec(`CREATE TABLE IF NOT EXISTS ...`); |
Direct command execution function call
| 810 | this.db.exec(`CREATE INDEX IF NOT EXISTS ...`); |
Direct command execution function call
| 936 | this.db.exec(` |
Direct command execution function call
| 948 | this.db.exec(` |
Direct command execution function call
| 1578 | this.db.exec(` |
Direct command execution function call
| 1589 | this.db.exec(` |
Template literal with variable interpolation in command context
| 261 | name: `reminder-${eventId}`, |
Template literal with variable interpolation in command context
| 426 | message: `New booking: ${userName} scheduled a meeting for ${formatDate(dateTime)}`, |
Template literal with variable interpolation in command context
| 435 | message: `Your meeting "${title}" has been confirmed for ${formatDate(dateTime)}.`, |
Template literal with variable interpolation in command context
| 1058 | return res.status(404).json({ error: `App "${appName}" not found` }); |
Template literal with variable interpolation in command context
| 1089 | return res.status(501).json({ error: `Method "${method}" not implemented` }); |
Curl to non-GitHub URL
| 561 | 1. Run `curl -s -X POST http://localhost/api/apps/reload` to refresh the cache |
Curl to non-GitHub URL
| 562 | 2. Check status: `curl http://localhost/api/apps/<app-name>` should show `"status": "published"`, `"isBuilt": true` |
Curl to non-GitHub URL
| 688 | curl http://localhost:3080/apps/my-app/ |
Curl to non-GitHub URL
| 691 | curl http://localhost:3080/apps/my-app/ | grep -o 'src="[^"]*"' |
Curl to non-GitHub URL
| 694 | curl http://localhost:3080/apps/my-app/assets/index-xxxxx.js | head -c 100 |
Fetch to external URL
| 1006 | const response = await fetch('/api/apps/bridge', { |
Fetch to external URL
| 1203 | const response = await fetch('/api/apps/bridge', { |
Fetch to external URL
| 1267 | const response = await fetch('/api/apps/bridge', { |
Webhook reference - potential data exfiltration
| 283 | ### 3. Webhooks (Built-in Capability) |
Webhook reference - potential data exfiltration
| 285 | Receive data from external services via webhook endpoints. |
Webhook reference - potential data exfiltration
| 291 | webhooks: |
Webhook reference - potential data exfiltration
| 299 | | `bridge.webhooks.getEndpointUrl(name)` | Get webhook URL to share | `endpointName: string` | |
Webhook reference - potential data exfiltration
| 300 | | `bridge.webhooks.onWebhookReceived(name, callback)` | Listen for incoming data | `endpointName: string, callback: (data) => void` | |
Webhook reference - potential data exfiltration
| 302 | **Example - Form submission webhook:** |
Webhook reference - potential data exfiltration
| 305 | // Get the webhook URL to embed in external forms |
Webhook reference - potential data exfiltration
| 306 | const webhookUrl = await bridge.webhooks.getEndpointUrl('form-submit'); |
Webhook reference - potential data exfiltration
| 307 | console.log('Share this URL:', webhookUrl); |
Webhook reference - potential data exfiltration
| 311 | const cleanup = bridge.webhooks.onWebhookReceived('form-submit', (data) => { |
Webhook reference - potential data exfiltration
| 482 | webhooks: |
Webhook reference - potential data exfiltration
| 1136 | // For capabilities (scheduler, webhooks, storage) |
Webhook reference - potential data exfiltration
| 1341 | webhooks?: { enabled?: boolean }; |
Webhook reference - potential data exfiltration
| 1353 | // Webhooks capability |
Webhook reference - potential data exfiltration
| 1354 | if (method.startsWith('webhooks.')) { |
Webhook reference - potential data exfiltration
| 1355 | if (!capabilities?.webhooks?.enabled) { |
Webhook reference - potential data exfiltration
| 1356 | throw new Error('Capability denied: webhooks not enabled in APP.yaml'); |
Webhook reference - potential data exfiltration
| 1512 | This guide explains how to add a new capability to the mini-apps bridge (like storage, scheduler, webhooks). Follow these steps when implementing new backend services that mini-apps can access. |
Webhook reference - potential data exfiltration
| 1546 | webhooks: WebhookCapabilitySchema.optional(), |
Webhook reference - potential data exfiltration
| 1708 | webhooks?: { enabled?: boolean }; |
Access to .env file
| 725 | const path = dbPath || process.env.SQLITE_DB_PATH || './data/orient.db'; |
Access to .env file
| 928 | const path = dbPath || process.env.SQLITE_DB_PATH || './data/orient.db'; |
Access to .env file
| 1569 | const path = dbPath || process.env.SQLITE_DB_PATH || './data/orient.db'; |
External URL reference
| 561 | 1. Run `curl -s -X POST http://localhost/api/apps/reload` to refresh the cache |
External URL reference
| 562 | 2. Check status: `curl http://localhost/api/apps/<app-name>` should show `"status": "published"`, `"isBuilt": true` |
External URL reference
| 563 | 3. Preview at: `http://localhost/apps/<app-name>/` |
External URL reference
| 635 | proxy_pass http://dashboard_api_local/apps/; |
External URL reference
| 688 | curl http://localhost:3080/apps/my-app/ |
External URL reference
| 691 | curl http://localhost:3080/apps/my-app/ | grep -o 'src="[^"]*"' |
External URL reference
| 694 | curl http://localhost:3080/apps/my-app/assets/index-xxxxx.js | head -c 100 |