telnyx-voice-ruby

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests inbound webhook payloads (see SKILL.md "Webhook Verification" and "Webhooks" sections) and directs the agent to parse event.payload and issue follow-up call-control commands, meaning untrusted/third‑party fields (e.g., SIP/custom headers, client_state) can materially influence subsequent actions.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I searched for high-entropy, literal values that could provide access. I found multiple "v3:..." call_control_id tokens that look like token-style credentials:
• "v3:550e8400-e29b-41d4-a716-446655440000_gRU1OGRkYQ"
• "v3:MdI91X4lWFEs7IgbBEOT9M4AigoY08M0WWZFISt1Yw2axZ_IiE4pqg"

These strings are high-entropy and, per the docs, a call_control_id is "Unique identifier and token for controlling the call" — i.e., a secret-like credential. Even though they appear in example code, they are literal, token-shaped values and therefore meet the "high-entropy, literal value that provides access" definition.

I did not flag the following as secrets:

• ENV["TELNYX_API_KEY"] (environment variable name only — no value provided).
• "7267xxxxxxxxxxxxxx" (masked/partially redacted).
• Phone numbers like "+18005550101" (not secrets).
• Simple/example strings or obvious placeholders elsewhere.

If these "v3:..." tokens are known to be synthetic examples and non-functional, they can be safely left; otherwise treat them as exposed credentials that should be rotated and removed from public docs.