Trust Assessment
twilio received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 30 findings: 13 critical, 7 high, 8 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Network egress to untrusted endpoints, Arbitrary command execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings30
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/voice-devotional/skills/twilio/setup.sh:75 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/snail3d/voice-devotional/skills/twilio/webhook_server.py:151 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/skills/twilio/confirm_actions.py:33 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/skills/twilio/confirm_actions.py:75 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/skills/twilio/sms_assistant.py:232 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/skills/twilio/sms_assistant.py:273 | |
| CRITICAL | File read + network send exfiltration .env file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/snail3d/voice-devotional/skills/twilio/SKILL.md:65 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/snail3d/voice-devotional/skills/twilio/call.py:61 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/snail3d/voice-devotional/skills/twilio/conversations.py:24 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/snail3d/voice-devotional/skills/twilio/respond_sms.py:179 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/snail3d/voice-devotional/skills/twilio/sms.py:31 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/snail3d/voice-devotional/skills/twilio/sms_assistant.py:19 | |
| CRITICAL | TwiML Injection via unsanitized message in call.py The `call.py` script directly embeds the user-provided `--message` argument into a TwiML `<Say>` verb without any sanitization. This allows for TwiML injection, where an attacker can insert arbitrary TwiML tags (e.g., `<Gather>`, `<Redirect>`, `<Play>`) into the message. This could lead to manipulation of the call flow, unauthorized data collection (e.g., DTMF tones), or redirection of calls to malicious endpoints. Escape or sanitize the `message` content before embedding it into TwiML. Twilio's Python helper library might have built-in methods for this, or manual XML escaping (e.g., replacing `<`, `>`, `&`, `'`, `"` with their respective XML entities) should be performed. Alternatively, use the `client.calls.create(url=...)` method with a TwiML Bin or a dynamically generated TwiML URL that properly escapes the message. | LLM | call.py:30 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'execute_calendar_action'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/voice-devotional/skills/twilio/confirm_actions.py:33 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'execute_task_action'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/voice-devotional/skills/twilio/confirm_actions.py:75 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'add_to_calendar'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/voice-devotional/skills/twilio/sms_assistant.py:232 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'add_task'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/voice-devotional/skills/twilio/sms_assistant.py:273 | |
| HIGH | Command Argument Injection via SMS-parsed input The `sms_assistant.py` script parses SMS messages and extracts fields like `title`, `date`, `time`, and `due_date`. These fields are then used as direct arguments in `subprocess.run` calls to `gog` (Google Calendar CLI) and `things` (Things app CLI) in both `sms_assistant.py` (if `DELEGATION_MODE` is "auto") and `confirm_actions.py`. An attacker, if they can send messages from an `ALLOWED_SENDER` number, could craft an SMS containing malicious arguments (e.g., `--evil-flag value` or `$(command)`) within the `title` or other fields. This could lead to unintended actions or information disclosure by manipulating the behavior of the `gog` or `things` commands. Implement strict sanitization or escaping of all user-provided input before passing it as arguments to external commands via `subprocess.run`. For example, ensure that `title` and other fields cannot contain characters that would be interpreted as command-line flags or sub-commands by `gog` or `things`. Consider using a dedicated library for argument escaping if available for the target commands, or whitelist allowed characters. | LLM | sms_assistant.py:226 | |
| HIGH | Data Exfiltration via crafted SMS replies The `sms_assistant.py` processes incoming SMS messages and generates replies that are sent back to the sender via `webhook_server.py`. While the current implementation of `sms_assistant.py` does not explicitly read arbitrary files, the `CommandParser` is designed to interpret natural language. If an attacker (from an `ALLOWED_SENDER` or if the sender check is bypassed) can craft an SMS message that causes the `sms_assistant` to inadvertently include sensitive local data (e.g., from `~/.clawd/twilio_conversations.json`, `pending_actions.json`, or log files) in its generated reply, this data could be exfiltrated to the attacker's phone number. This risk is amplified if an LLM is later integrated into `sms_assistant.py` without proper output sanitization. Ensure that any data included in SMS replies is strictly controlled and sanitized. Avoid including content from local files or sensitive variables in replies unless explicitly intended and verified. If an LLM is integrated, implement robust prompt engineering and output filtering to prevent it from revealing sensitive information. | LLM | sms_assistant.py:40 | |
| HIGH | Excessive permissions: Execution of external commands based on SMS input The `sms_assistant.py` and `confirm_actions.py` scripts are designed to execute external commands (`gog` for Google Calendar and `things` for Things app) using `subprocess.run`. These commands are constructed based on parsed SMS messages. This grants the skill the ability to perform actions on the host system with the user's privileges. While intended, this capability, especially when combined with the command argument injection vulnerability, represents an excessive permission model where untrusted input (SMS body) can directly influence system-level actions. 1. **Strict Input Validation:** Implement rigorous validation and sanitization for all SMS-derived inputs before they are used in external commands. 2. **Least Privilege:** Re-evaluate if direct execution of `gog` and `things` is strictly necessary, or if there are API-based alternatives that offer more controlled interaction. 3. **Confirmation (Default):** Ensure `DELEGATION_MODE` defaults to "confirm" and requires explicit user approval for sensitive actions, especially when dealing with external commands. | LLM | sms_assistant.py:287 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/snail3d/voice-devotional/skills/twilio/SKILL.md:1 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/snail3d/voice-devotional/skills/twilio/call.py:7 | |
| MEDIUM | Sensitive path access: Environment file Access to Environment file path detected: '.env.local'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/snail3d/voice-devotional/skills/twilio/SKILL.md:65 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/snail3d/voice-devotional/skills/twilio/setup.sh:75 | |
| MEDIUM | Unpinned Python dependency version Requirement 'twilio>=9.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/snail3d/voice-devotional/skills/twilio/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests>=2.31.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/snail3d/voice-devotional/skills/twilio/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'python-dotenv>=1.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/snail3d/voice-devotional/skills/twilio/requirements.txt:3 | |
| MEDIUM | Unpinned Python dependency version Requirement 'flask>=2.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/snail3d/voice-devotional/skills/twilio/requirements.txt:4 | |
| LOW | Loose dependency pinning in requirements.txt The `requirements.txt` file uses `>=` for specifying dependency versions (e.g., `twilio>=9.0.0`). This allows for automatic updates to newer minor or patch versions. While this can include security fixes, it also introduces a supply chain risk where a malicious update to a dependency (e.g., if a maintainer's account is compromised) could be pulled into the project without explicit review. Pin dependencies to exact versions (e.g., `twilio==9.0.0`) or use a dependency lock file (e.g., `Pipfile.lock` with `pipenv`, or `poetry.lock` with `poetry`) to ensure reproducible builds and prevent unexpected dependency changes. Regularly review and update pinned versions. | LLM | requirements.txt:1 | |
| INFO | Partial credential exposure in setup script output The `setup.sh` script, during its execution, prints a summary that includes the first 10 characters of `TWILIO_ACCOUNT_SID` and the full `TWILIO_PHONE_NUMBER` to standard output. While this is intended for user convenience, it means these partial credentials could be captured in logs or seen by unauthorized individuals if the setup process is not secured. The `SKILL.md` also contains example credentials, which should ideally be generic placeholders. Avoid echoing any part of sensitive credentials to standard output, even partial ones. If a summary is needed, indicate that credentials are set without revealing their values. Ensure example credentials in documentation are clearly marked as such and are not functional. | LLM | setup.sh:57 |
Scan History
Embed Code
[](https://skillshield.io/report/fc82316b1a10d76d)
Powered by SkillShield