Trust Assessment
telnyx-cli received a trust score of 81/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential API Key Exposure via `cat` command in documentation, Unpinned `npm` dependency in setup scripts and documentation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential API Key Exposure via `cat` command in documentation The `SKILL.md` documentation includes a troubleshooting step that suggests using `cat ~/.config/telnyx/config.json` to inspect the API key configuration. If an LLM is prompted to assist with troubleshooting or debugging, it might execute this command, leading to the exposure of the `TELNYX_API_KEY` stored in the configuration file. An attacker could then attempt to exfiltrate this key, compromising the user's Telnyx account. Remove or redact the `cat ~/.config/telnyx/config.json` command from the documentation. Instead, advise users to use `telnyx auth setup` to reconfigure or `telnyx account get` to test connectivity without exposing the raw key. If inspection is absolutely necessary, advise manual user action outside of LLM interaction. | LLM | SKILL.md:181 | |
| MEDIUM | Unpinned `npm` dependency in setup scripts and documentation The `setup.sh` script and `SKILL.md` documentation instruct users to install the `@telnyx/api-cli` package globally using `npm install -g @telnyx/api-cli`. This command does not specify a version, meaning it will always install the latest available version. This introduces a supply chain risk, as a future malicious update or compromise of the package or its dependencies could lead to the installation of vulnerable or malicious code without explicit user consent or review. Pin the version of the `@telnyx/api-cli` package during installation (e.g., `npm install -g @telnyx/api-cli@X.Y.Z`) to ensure deterministic and secure installations. Regularly review and update the pinned version. | LLM | SKILL.md, setup.sh:10 |
Scan History
Embed Code
[](https://skillshield.io/report/cfbf31e1877851d5)
Powered by SkillShield