telnyx-messaging-javascript
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill provides legitimate documentation and code examples for the Telnyx Messaging service. Analysis of the instructions and reference materials revealed no malicious patterns or high-risk behaviors. It correctly recommends the use of environment variables for API keys and provides guidance on verifying webhook signatures using Ed25519.
- [EXTERNAL_DOWNLOADS]: The skill utilizes the official 'telnyx' Node.js package from the public npm registry, which is consistent with the skill's stated purpose and vendor author.
- [PROMPT_INJECTION]: The skill defines a surface for indirect prompt injection as it handles inbound message content (SMS/MMS), but includes mandatory signature verification which ensures the authenticity of the data source. Mandatory evidence chain: 1. Ingestion points: Webhook payload (
message.received) in SKILL.md. 2. Boundary markers: Absent. 3. Capability inventory: SDK methods for sending messages, scheduling, and management tasks in SKILL.md and references/api-details.md. 4. Sanitization: Verification viaclient.webhooks.unwrap()in SKILL.md ensures message authenticity but does not sanitize text content.
Audit Metadata