twilio-testing
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing and acting upon untrusted external data.
- Ingestion points: The skill ingests
leadData(names, addresses) and call transcripts from the ElevenLabs API, as seen in thetestContextInjectionandtestTCPACompliancefunctions. - Boundary markers: There are no boundary markers or delimiters used when interpolating external strings into the logic that evaluates agent behavior.
- Capability inventory: The skill possesses powerful capabilities including
Bashexecution,WebFetchfor network requests, and the ability to initiate and control telephony via the Twilio SDK. - Sanitization: No sanitization or validation logic is present to filter malicious instructions that might be embedded in lead names or call transcripts before they are processed by the agent.
- [CREDENTIALS_UNSAFE]: The skill instructs the user to store sensitive API credentials in a
.envfile within the project directory. - Evidence: The "Environment Setup" section in
SKILL.mdexplicitly listsTWILIO_AUTH_TOKENandELEVENLABS_API_KEYfor storage in.env. - Context: Because the agent is granted
Read,Glob, andGreppermissions, it can programmatically access these secrets once they are populated by the user. - [COMMAND_EXECUTION]: The skill utilizes the
Bashtool to perform system-level operations. - Evidence: Used for installing packages (
npm install twilio), installing global utilities (npm install -g ngrok), and running the development server. - Context: While these are standard development procedures, the use of
Bashcombined with network access (ngrok) requires the user to ensure the environment is properly isolated.
Audit Metadata