Trust Assessment
telnyx-network received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 6 critical, 2 high, 2 medium, and 2 low severity. Key findings include Network egress to untrusted endpoints, Remote code execution: curl/wget pipe to shell, Sensitive environment variable access: $USER.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dotcom-squad/telnyx-network/SKILL.md:132 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/dotcom-squad/telnyx-network/add-public-ip.sh:79 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/dotcom-squad/telnyx-network/join.sh:82 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/dotcom-squad/telnyx-network/peers.sh:31 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/dotcom-squad/telnyx-network/setup.sh:80 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/dotcom-squad/telnyx-network/setup.sh:96 | |
| HIGH | Passwordless Sudo for WireGuard Commands The `setup-sudoers.sh` script modifies `/etc/sudoers.d/` to allow the user (and thus the agent) to execute `wg` and `wg-quick` commands without a password prompt. This grants significant elevated privileges to the agent, allowing it to manage network interfaces as root. While intended for agent autonomy, it represents a high security risk if the agent or the system running it is compromised, as it could lead to arbitrary network manipulation or further system compromise. 1. **Least Privilege:** Re-evaluate if passwordless `sudo` for `wg` and `wg-quick` is strictly necessary. Can specific, limited `wg` commands be allowed instead of all? 2. **Agent Isolation:** Ensure the agent runs in a highly isolated environment (e.g., container, VM) where its access to the host system is minimized, even with `sudo` privileges. 3. **Monitoring:** Implement robust monitoring for `sudo` command execution by the agent. | LLM | setup-sudoers.sh:38 | |
| HIGH | Unsanitized IP Address in `ping` Command The `discover.sh` script fetches node information, including an IP address, from a JSON file stored in a Telnyx storage bucket. This IP address is then directly used in a `ping` command (`ping -c 1 -W 1 "$IP"`). If an attacker can register a malicious node (e.g., via `register.sh`) with a specially crafted `ip` field in the JSON (e.g., `1.2.3.4; rm -rf /`), this could lead to arbitrary command injection on the system running `discover.sh`. The `IP` variable is not sanitized before being passed to `ping`. 1. **Input Validation:** Strictly validate the `IP` address format (e.g., using regex for IPv4/IPv6) before using it in any shell command. 2. **Safeguard `ping`:** If `ping` is necessary, consider using a language's built-in network libraries or a more robust `ping` wrapper that handles untrusted input safely, rather than direct shell execution. 3. **Sanitize `NODE_NAME`:** In `register.sh`, sanitize `NODE_NAME` to prevent path traversal or other malicious characters from being stored in the bucket, which could then be reflected in `discover.sh`. | LLM | discover.sh:100 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/dotcom-squad/telnyx-network/setup-sudoers.sh:38 | |
| MEDIUM | Unsanitized Node Name in WireGuard Config File Path The `join.sh` script constructs a WireGuard configuration file path using a user-provided node `NAME`: `CONF_FILE="$SCRIPT_DIR/wg-$NAME.conf"`. This `CONF_FILE` is then passed to `sudo wg-quick up "$CONF_FILE"`. If the `NAME` argument contains shell metacharacters (e.g., `my-node; rm -rf /`), it could lead to command injection. Path traversal characters (e.g., `../../`) could potentially lead to `wg-quick` attempting to read or write to an arbitrary file on the system, potentially exposing sensitive information or causing denial of service. 1. **Input Validation:** Sanitize the `NAME` argument to ensure it only contains safe characters (e.g., alphanumeric, hyphens, underscores) and does not contain path separators or shell metacharacters. 2. **Use `mktemp` for config files:** Instead of constructing a filename based on user input, use `mktemp` to create a secure temporary file for the WireGuard configuration. | LLM | join.sh:120 | |
| LOW | Unpinned `telnyx CLI` Dependency The `discover.sh`, `register.sh`, and `unregister.sh` scripts instruct the user to install the `telnyx CLI` globally using `npm install -g @telnyx/api-cli`. This command installs the latest version of the package. Without pinning a specific version, future installations could pull in a malicious or vulnerable version of the CLI if the package maintainer's account is compromised or a dependency is poisoned. This introduces a supply chain risk. 1. **Pin Dependency Version:** Specify a fixed version for the `telnyx CLI` installation (e.g., `npm install -g @telnyx/api-cli@1.2.3`) to ensure deterministic installations. 2. **Integrity Checks:** If possible, use integrity checks (e.g., `npm audit`, checksums) to verify the downloaded package. 3. **Local Installation:** Consider installing dependencies locally to the skill's directory rather than globally, to limit impact. | LLM | discover.sh:40 | |
| LOW | WireGuard Private Key Stored on Disk The `join.sh` script retrieves a WireGuard private key from the Telnyx API and stores it directly in a file named `wg-$NAME.conf` in the skill's directory. While the script explicitly warns the user to save their private key and that it's only shown once, storing this sensitive credential on disk makes it vulnerable to local compromise if the system or the skill's directory is not adequately secured. Any process with read access to this file could exfiltrate the private key. 1. **Ephemeral Storage:** If possible, avoid writing the private key to disk. Instead, pass it directly to `wg-quick` via standard input or a secure memory mechanism if the tool supports it. 2. **Secure Permissions:** Ensure the `wg-*.conf` files are created with the most restrictive file permissions possible (e.g., `chmod 600`) to limit access to the owner. 3. **Key Management System:** For production environments, integrate with a secure key management system to handle private keys, rather than local file storage. | LLM | join.sh:110 |
Scan History
Embed Code
[](https://skillshield.io/report/f206f20e1192e241)
Powered by SkillShield