telnyx-voice-advanced-go
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill uses
os.Getenv("TELNYX_API_KEY")for authentication, which is a recommended security practice to prevent the accidental exposure of sensitive credentials in source code. - [SAFE]: External dependencies are sourced from the official vendor repository (
github.com/team-telnyx/telnyx-go). These are trusted resources corresponding to the skill author's infrastructure. - [SAFE]: A Base64 string provided as an example for client state (
aGF2ZSBhIG5pY2UgZGF5ID1d) was analyzed and found to contain only benign text ("have a nice day =]"). - [PROMPT_INJECTION]: The skill describes webhooks that process user-controllable data, such as DTMF digits and conversation insights. While this is a standard feature of telephony applications, it represents a potential surface for indirect prompt injection if the resulting data is passed to an LLM without proper sanitization.
- Ingestion points: Webhook payload definitions in
SKILL.md(e.g.,callDtmfReceived,callConversationInsightsGenerated). - Boundary markers: Not explicitly defined in the provided Go code snippets.
- Capability inventory: Call control operations including sending DTMF, SIPREC recording, and noise suppression management.
- Sanitization: Not demonstrated in the example code; developers should implement data validation when handling these webhook events.
Audit Metadata