twilio-lookup
Fail
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The installation instructions for the Twilio CLI utilize
sudoto move binaries into/usr/local/bin. This pattern requests administrative privileges, which can lead to privilege escalation if executed by an agent in a sensitive environment. - [EXTERNAL_DOWNLOADS]: The skill instructs the download of the Twilio CLI binary from an Amazon S3 bucket (
twilio-cli-prod.s3.amazonaws.com). While Twilio is a well-known service provider, downloading and installing binaries from remote sources at runtime presents a supply chain risk. - [PROMPT_INJECTION]: The skill identifies a surface for indirect prompt injection (Category 8) where untrusted phone number data is interpolated into API requests and shell commands.
- Ingestion points: The
phonevariable is used across Python, Node.js, and Bash examples (e.g.,client.lookups.v2.phoneNumbers(input).fetch()). - Boundary markers: The examples lack boundary markers or delimiters to isolate user input from the rest of the command or URL.
- Capability inventory: The skill utilizes network operations (
curl, SDKs) and CLI tools that could be manipulated through crafted inputs. - Sanitization: Code snippets lack explicit input validation or sanitization for the
phonevariable, potentially allowing parameter pollution or command manipulation. - [DATA_EXFILTRATION]: The skill references sensitive file paths for configuration and secrets, such as
/run/secrets/twilio_api_key_secretand/etc/openclaw/twilio/lookup.toml. Interaction with these paths involves the exposure of sensitive system areas and credential storage.
Recommendations
- HIGH: Downloads and executes remote code from: https://twilio-cli-prod.s3.amazonaws.com/twilio-cli-linux-x86_64.tar.gz - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata