twilio-sms
Warn
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Modifies shell profile configuration (~/.zshrc) to persist environment changes and path updates for Node.js and Python runtimes.
- [COMMAND_EXECUTION]: Implements persistence for the messaging application by providing a template for a systemd service unit.
- [COMMAND_EXECUTION]: Utilizes sudo for system-level operations, including repository management and the installation of core packages and the Twilio CLI.
- [REMOTE_CODE_EXECUTION]: Downloads and executes an installation script from NodeSource using a piped bash command.
- [PROMPT_INJECTION]: Processes untrusted data from inbound SMS bodies, which could be exploited for indirect prompt injection if the agent uses the content to drive further logic.
- Ingestion points: Inbound SMS message body received via webhooks in the /twilio/inbound endpoint (demonstrated in Node.js and Python examples).
- Boundary markers: The implementation lacks delimiters or instructions to ignore embedded commands within the message body.
- Capability inventory: The skill can generate automated responses via TwiML, interact with external ticketing systems (as shown in pseudo-code), and perform bulk messaging operations.
- Sanitization: Basic string normalization (trimming and case conversion) is present, but no robust sanitization or escaping is implemented for the external content.
Audit Metadata