telnyx-voice-python

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill ingests inbound webhook payloads (see "Call Control is event-driven" and the "Webhook Verification" example) which include user-originated fields like data.payload.client_state, sip_headers, and custom_headers coming from callers/Telnyx, and those webhook fields are used to drive follow-up call-control commands—so untrusted third-party content can influence behavior.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the full skill prompt for high-entropy, literal credential values.

Flagged item:

• call_control_id_to_bridge_with value: "v3:MdI91X4lWFEs7IgbBEOT9M4AigoY08M0WWZFISt1Yw2axZ_IiE4pqg" — this is a long, random-looking token (prefixed "v3:") that resembles an actual service token/identifier rather than a clear placeholder. It could be a usable credential and therefore meets the "high-entropy, literal value" definition.

Ignored items and why:

• UUIDs like "550e8400-e29b-41d4-a716-446655440000" — these are generic example UUIDs (low-risk examples), not high-entropy secrets in this context.
• Masked/partially redacted IDs like "7267xxxxxxxxxxxxxx" — redacted/placeholder.
• Phone numbers (e.g., "+18005550101") — public/example numbers, not secrets.
• Environment usage api_key=os.environ.get("TELNYX_API_KEY") — only an environment variable name, no value provided.
• Numeric IDs like "1293384261075731461" — not secret credentials. No private key blocks, API keys of the form "sk-live-..." or other clear live credentials were present.

Because a long random token-like string is present verbatim in an example and could be usable, I treat this as a potential hardcoded secret.