telnyx-voice-curl

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the entire skill for literal, high-entropy values that could be used to access or control resources.

Flagged as potential secrets:

• v3:550e8400-e29b-41d4-a716-446655440000_gRU1OGRkYQ — appears repeatedly as a call_control_id in request URLs and payloads. The "v3:..._gRU1OGRkYQ" form includes a base-like suffix and is described in the doc as a "Unique identifier and token for controlling the call", which implies capability-bearing credentials rather than a simple resource ID. Its random-looking suffix meets the high-entropy criterion.
• v3:MdI91X4lWFEs7IgbBEOT9M4AigoY08M0WWZFISt1Yw2axZ_IiE4pqg — used in the bridge example as a call_control_id value; it is a long, random-looking token and similarly appears to be a capability token for call control.

Ignored items (with reasons):

• TELNYX_API_KEY="YOUR_API_KEY_HERE" — documentation placeholder; explicitly a placeholder, ignore.
• Phone numbers like "+13125550001", "+18005550101" — obvious examples (E.164 format) and not secrets.
• Raw UUIDs such as "550e8400-e29b-41d4-a716-446655440000" and numeric IDs like "1293384261075731461" — these look like resource identifiers; alone they are low-entropy/identifier values and are commonly used in examples. The doc also treats them as IDs rather than bearer credentials.
• Any redacted/truncated patterns or labelled examples (none are real API keys or private keys).
• Webhook signing guidance references the public key location but does not include any private/public key material.

Conclusion: I flagged the two v3:... tokens because they look like high-entropy, capability-bearing call_control_id values embedded directly in example requests and URLs; these could be usable credentials if they are live.