Trust Assessment
twilio received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 32 findings: 15 critical, 5 high, 10 medium, and 2 low severity. Key findings include Persistence / self-modification instructions, Network egress to untrusted endpoints, Arbitrary command execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings32
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/clawd/skills/twilio/setup.sh:75 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/snail3d/clawd/skills/twilio/webhook_server.py:151 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawd/skills/twilio/confirm_actions.py:33 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawd/skills/twilio/confirm_actions.py:75 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawd/skills/twilio/sms_assistant.py:232 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawd/skills/twilio/sms_assistant.py:273 | |
| CRITICAL | File read + network send exfiltration .env file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/snail3d/clawd/skills/twilio/SKILL.md:65 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/snail3d/clawd/skills/twilio/call.py:61 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/snail3d/clawd/skills/twilio/conversations.py:24 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/snail3d/clawd/skills/twilio/respond_sms.py:179 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/snail3d/clawd/skills/twilio/sms.py:31 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/snail3d/clawd/skills/twilio/sms_assistant.py:19 | |
| CRITICAL | Command Injection via 'eval' in Shell Script The `test_twilio_setup.sh` script uses `eval "$command"` within its `test_check` function. The `eval` command executes arbitrary shell code and is a critical security risk. Although the `$command` variable is currently constructed from hardcoded strings, this pattern is highly vulnerable to command injection if any part of the `$command` could be influenced by untrusted input in the future. An attacker could potentially inject malicious shell commands. Avoid using `eval`. Refactor the `test_check` function to execute commands directly without `eval`, or use `subprocess.run` with `shell=False` and a list of arguments in Python scripts for safer execution. | LLM | test_twilio_setup.sh:32 | |
| CRITICAL | Command Injection via User-Controlled Arguments to External Binaries The `sms_assistant.py` and `confirm_actions.py` scripts execute external binaries (`gog` for Google Calendar and `things` for task management) using `subprocess.run`. Arguments like `title`, `date`, `time`, and `due_date` are derived directly from user-controlled SMS message bodies. While `subprocess.run` with a list of arguments is generally safer than `shell=True`, the external binaries themselves might interpret these arguments in a way that allows command injection (e.g., if they internally use `eval` or shell expansion on their input). A malicious SMS message could potentially craft an argument that leads to arbitrary command execution on the host system. Thoroughly sanitize all user-derived inputs (`title`, `date`, `time`, `due_date`) before passing them as arguments to external binaries. Implement strict whitelisting or robust escaping mechanisms for characters that could be interpreted as shell metacharacters or command separators by the target binaries. Ideally, use dedicated APIs for calendar/task management instead of shell commands. | LLM | sms_assistant.py:204 | |
| CRITICAL | Command Injection via User-Controlled Arguments to External Binaries (Confirmation Script) The `confirm_actions.py` script executes external binaries (`gog` and `things`) with arguments loaded from `pending_actions.json`. These pending actions originate from user-controlled SMS messages processed by `sms_assistant.py`. This creates a persistent command injection vulnerability: if a malicious SMS message successfully injects commands into the `title`, `date`, `time`, or `due_date` fields stored in `pending_actions.json`, these commands will be executed when `confirm_actions.py` is run. Implement strict input validation and sanitization for all user-derived data before it is stored in `pending_actions.json` and before it is passed to external binaries. Ensure that `gog` and `things` are not vulnerable to argument interpretation. Consider using dedicated APIs instead of shell commands for these integrations. | LLM | confirm_actions.py:40 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'execute_calendar_action'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawd/skills/twilio/confirm_actions.py:33 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'execute_task_action'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawd/skills/twilio/confirm_actions.py:75 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'add_to_calendar'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawd/skills/twilio/sms_assistant.py:232 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'add_task'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawd/skills/twilio/sms_assistant.py:273 | |
| HIGH | Hardcoded Sensitive Phone Numbers for Access Control The `sms_assistant.py` script uses hardcoded phone numbers (`ALLOWED_SENDERS` and `ADMIN_NUMBER`) for critical access control decisions. If these numbers are compromised (e.g., SIM swap, spoofing), an attacker could bypass the skill's security mechanisms and execute arbitrary commands on the system via SMS. Hardcoding such sensitive identifiers creates a single point of failure and makes credential rotation difficult. Avoid hardcoding sensitive identifiers. Implement a secure configuration mechanism (e.g., environment variables, encrypted configuration file) to store and retrieve `ALLOWED_SENDERS` and `ADMIN_NUMBER`. Consider multi-factor authentication or more robust sender verification methods beyond just the `From` number, as SMS sender IDs can sometimes be spoofed. | LLM | sms_assistant.py:8 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/snail3d/clawd/skills/twilio/SKILL.md:1 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/snail3d/clawd/skills/twilio/call.py:7 | |
| MEDIUM | Sensitive path access: Environment file Access to Environment file path detected: '.env.local'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/snail3d/clawd/skills/twilio/SKILL.md:65 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/snail3d/clawd/skills/twilio/setup.sh:75 | |
| MEDIUM | Unpinned Python dependency version Requirement 'twilio>=9.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/snail3d/clawd/skills/twilio/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests>=2.31.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/snail3d/clawd/skills/twilio/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'python-dotenv>=1.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/snail3d/clawd/skills/twilio/requirements.txt:3 | |
| MEDIUM | Unpinned Python dependency version Requirement 'flask>=2.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/snail3d/clawd/skills/twilio/requirements.txt:4 | |
| MEDIUM | TwiML Injection Risk from User-Controlled Message Content The `call.py`, `webhook_server.py`, and `respond_sms.py` scripts directly embed user-controlled message content (`message` or `reply_text`) into TwiML XML strings without explicit escaping. If a malicious user provides input containing XML special characters (e.g., `<`, `>`, `&`, `'`, `"`), it could lead to TwiML injection. This could manipulate the Twilio voice/SMS engine to perform unintended actions, such as speaking arbitrary text, redirecting calls, or potentially exfiltrating information if the TwiML parser is vulnerable. Ensure that all user-controlled input embedded into TwiML XML is properly escaped. While the Twilio SDK might handle some escaping, it's best practice to explicitly escape XML special characters in the `message` variable before constructing the TwiML string, or use a TwiML builder library that handles this automatically. | LLM | call.py:29 | |
| MEDIUM | TwiML Injection Risk from User-Controlled Message Content (Webhook Server) The `webhook_server.py` script directly embeds `reply_text` (which originates from user-controlled SMS input via `sms_assistant.py`) into TwiML XML. If `sms_assistant.py` can be manipulated to return malicious XML, or if `reply_text` contains unescaped XML special characters, it could lead to TwiML injection. This could manipulate the Twilio voice/SMS engine to perform unintended actions. Ensure that `reply_text` is thoroughly sanitized and XML-escaped before being embedded into the TwiML response. Implement robust input validation and output encoding within `sms_assistant.py` and `webhook_server.py` to prevent malicious XML from being generated or passed through. | LLM | webhook_server.py:95 | |
| LOW | Unencrypted Storage of Sensitive Conversation History The skill stores sensitive conversation history (including message bodies, timestamps, and phone numbers) in a local JSON file (`~/.clawd/twilio_conversations.json`). This file is stored unencrypted. If the local machine is compromised, this data could be easily accessed and exfiltrated by an attacker. Consider encrypting the `twilio_conversations.json` file at rest, especially if the messages contain highly sensitive personal or confidential information. Implement access controls to restrict who can read/write this file. Regularly back up and securely delete old conversation data. | LLM | respond_sms.py:16 | |
| LOW | Inconsistent and Relative File Paths for Data Storage The skill uses inconsistent and sometimes relative file paths for storing conversation history and log files. For example, `respond_sms.py` uses `~/.clawd/twilio_conversations.json`, while `webhook_server.py` and `conversations.py` use `conversations.json` (relative to CWD). Similarly, `webhook_server.py` writes `incoming_sms.log` and `eric_notifications.log` to relative paths. This inconsistency can lead to: 1) data being stored in unexpected locations, potentially overwriting existing files or being written to insecure directories; 2) confusion and data loss if the script's current working directory changes; 3) difficulty in managing and securing sensitive data. Standardize all file paths to use a consistent, absolute location within the user's home directory (e.g., `~/.clawd/twilio_skill/`). Ensure that all scripts correctly reference these standardized paths. Avoid using relative paths for persistent data or log files to prevent unexpected file creation or overwrites. | LLM | webhook_server.py:10 |
Scan History
Embed Code
[](https://skillshield.io/report/21c7c2995d50e56e)
Powered by SkillShield