twilio-voice

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly ingests user-generated call recordings and transcription content from third-party callers (see "recording status callback → enqueue job" / "Worker downloads recording media → transcribes" and the "download recording media (authenticated)" examples), which the agent is expected to read/interpret and which could materially influence downstream actions (routing, CRM updates, transcripts), exposing it to indirect prompt injection risk.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the full prompt for literal, high-entropy secret values (not placeholders or simple example strings). I ignored obvious placeholders such as "your_auth_token", "ACxxxxxxxx...", "sk-xxxx", and simple/example passwords per the instructions.

Findings:

• TWILIO_AUTH_TOKEN=9f8e7d6c5b4a3a2b1c0d9e8f7a6b5c4d (in /etc/twilio/voice.env and repeated in curl/export examples): high-entropy 32-hex string that appears to be an actual Auth Token — treated as a secret in the docs and usable for API auth. Flagged.
• TRANSCRIPTION_WEBHOOK_SECRET=whsec_6b1f0b2a9c3d4e5f (in /etc/twilio/voice.env): looks like a webhook signing secret with a "whsec_" prefix and a high-entropy suffix — usable for verifying webhook payloads. Flagged.
• TWILIO_ACCOUNT_SID=AC2f1c2d3e4f5a6b7c8d9e0f1a2b3c4d: included in the file and examples. Account SIDs are identifiers (not secret credentials by themselves), but they are present alongside the Auth Token. I note it but did not treat it as the primary secret to flag since the Auth Token and webhook secret are the sensitive items.

Ignored items (with reasons):

• export TWILIO_AUTH_TOKEN="your_auth_token" — placeholder/dev example.
• export TWILIO_ACCOUNT_SID="ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" — placeholder.
• Other example values like phone numbers, URLs, or short/simple strings — either identifiers, examples, or low-entropy placeholders and therefore not flagged.

Conclusion: there are actual high-entropy secrets embedded in the sample /etc/twilio/voice.env (Auth Token and webhook secret).

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs running sudo commands, creating a system user, writing systemd unit and nginx configs, and modifying files under /etc — actions that change system state and require elevated privileges.