telnyx-voice-go

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly relies on and instructs handling incoming Telnyx webhooks (see "Operational Caveats" and the "Webhooks" / references/api-details.md sections) which contain untrusted caller-provided fields (e.g., sip_headers, client_state, custom_headers, from/to) that the agent is expected to parse and use to drive follow-up actions (answer/transfer/hangup), so third-party content can materially influence behavior.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned for high-entropy, literal values that could be usable credentials.

Flagged:

• "v3:MdI91X4lWFEs7IgbBEOT9M4AigoY08M0WWZFISt1Yw2axZ_IiE4pqg" (in the Bridge example). This is a long, random-looking token with a "v3:" prefix and base64-like content; it appears to be a real call-control identifier/token rather than an obvious placeholder. Per the definition, this meets the high-entropy criterion and could be a usable credential.

Ignored (not flagged) with reasons:

• "7267xxxxxxxxxxxxxx" — masked/partially redacted (not usable).
• "+18005550101", "+18005550100" — phone-number examples (E.164 examples, not secrets).
• "call_control_id" and other literal placeholders like "call_control_id" in examples — documentation placeholders.
• "1293384261075731461" — numeric resource id (not a high-entropy secret).
• Other example strings and parameter names (e.g., env var usage TELNYX_API_KEY via os.Getenv) — either placeholders, environment variable names, or examples per the ignore rules.

Conclusion: the only direct, high-entropy credential-like literal present is the v3:... token, so I mark this as a real secret instance.