twilio-whatsapp

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit API keys, auth tokens, and example .env/config entries with secret values (e.g., SK..., AC..., a_very_long_secret_value) and shows commands/export lines that embed them, which encourages the LLM to reproduce secret values verbatim — a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill ingests untrusted, user-generated WhatsApp message content via Twilio webhooks (see the "Receive inbound WhatsApp messages" / POST /twilio/inbound handler that reads req.body.Body, NumMedia, MediaUrl, MessageSid and routes/enqueues them), which the service is expected to parse and act on to make routing/response decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt includes explicit sudo installation commands and guides creating/modifying system-wide resources (a systemd unit at /etc/systemd/system, service user usage and file permission changes), which require elevated privileges and thus push the agent to modify the machine state.