twilio-testing

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill retrieves and processes user-generated conversation data from external services (e.g., calls to startElevenLabsConversation/getElevenLabsConversation/listElevenLabsConversations and the ConversationRelay websocket URL wss://api.elevenlabs.io/... shown in services/routes/twiml.ts) and then reads/transforms transcripts to drive context checks, compliance decisions, metrics, and call-control logic (see testContextInjection, testTCPACompliance, measureAudioQuality), so untrusted third-party/user content can materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). During runtime the TwiML connects to ElevenLabs via the WebSocket URL wss://api.elevenlabs.io/v1/convai/${conversationId}/stream, and the remote ElevenLabs agent configuration (system prompt/agent behavior) hosted there directly controls the conversation prompts the skill relies on.