Trust Assessment
elevenlabs-twilio-memory-bridge received a trust score of 52/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 0 critical, 1 high, 5 medium, and 0 low severity. Key findings include Unpinned Python dependency version, User-controlled input directly injected into LLM system prompt, Arbitrary file read via `SOUL_TEMPLATE_PATH` environment variable.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | User-controlled input directly injected into LLM system prompt The skill allows users to add 'facts' (via `/api/memory`) and 'notes' (via `/api/notes`) which are then directly concatenated into the `system_prompt_override` sent to the ElevenLabs conversational AI agent. An attacker can inject malicious instructions into these fields, manipulating the agent's behavior, potentially leading to unauthorized actions, information disclosure, or denial of service from the agent. Implement robust input sanitization and validation for user-provided `fact` and `note` fields. Consider using a structured prompt template system that separates user input from instructions, or escape special characters that could be interpreted as instructions by the target LLM. Alternatively, review and filter content for known prompt injection patterns before storage or injection. | LLM | app.py:220 | |
| MEDIUM | Unpinned Python dependency version Requirement 'fastapi>=0.109.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/britrik/elevenlabs-twilio-memory-bridge/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'uvicorn[standard]>=0.27.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/britrik/elevenlabs-twilio-memory-bridge/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'python-dotenv>=1.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/britrik/elevenlabs-twilio-memory-bridge/requirements.txt:3 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pydantic>=2.5.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/britrik/elevenlabs-twilio-memory-bridge/requirements.txt:4 | |
| MEDIUM | Arbitrary file read via `SOUL_TEMPLATE_PATH` environment variable The `SOUL_TEMPLATE_PATH` environment variable determines the path from which the 'soul template' is loaded. The content of this file is then included in the `system_prompt_override` sent to the ElevenLabs agent. If an attacker can control this environment variable (e.g., through a compromised deployment environment or misconfiguration), they could set it to an arbitrary file path (e.g., `/etc/passwd`, `/app/.env`), causing the application to read the content of that file and potentially exfiltrate it via the ElevenLabs agent's responses. Restrict the `SOUL_TEMPLATE_PATH` to a predefined, non-sensitive directory using a whitelist approach or by validating the path to ensure it's within an expected and secure boundary. Avoid allowing arbitrary file paths via environment variables if the content is processed or exposed. | LLM | app.py:47 |
Scan History
Embed Code
[](https://skillshield.io/report/7d4075e28ad55e3f)
Powered by SkillShield