Is cnvipstar/telcall-twilio safe?
https://github.com/openclaw/skills/tree/main/skills/cnvipstar/telcall-twilio
The telcall-twilio skill is a straightforward Twilio voice-call integration with no malicious code, prompt injection, or active data exfiltration. The skill passes canary integrity checks, its install contacts only GitHub, and its scripts do only what they claim: store credentials and make API calls to Twilio. The primary concerns are design-level: Twilio credentials are stored in plaintext on disk, the call message is not sanitized before XML interpolation, and the configurable destination number could be redirected by a co-installed malicious skill. These risks are moderate and context-dependent rather than indicative of malicious intent.
Category Scores
Findings (8)
MEDIUM Twilio auth token stored in plaintext on disk -12 ▶
setup.sh writes account_sid, auth_token, from_number, and to_number into ~/.openclaw/workspace/telcall-twilio/config/twilio.json using a heredoc with direct variable interpolation. While chmod 600 is applied, any process running as the user (including other skills, scripts, or a compromised agent session) can read the auth token and use it to make calls on the user's Twilio account.
MEDIUM Hardcoded destination can be overwritten; enables call redirection -15 ▶
The to_number field in twilio.json is user-configured during setup but stored as a plain writable JSON file. Any skill or agent with write access to the user's home directory can silently change to_number, redirecting future emergency calls to an attacker-controlled phone number or to arbitrary third parties. The skill description implies calls go to the user, but there is no runtime validation that to_number matches any expected value.
LOW Unsanitized message parameter enables TwiML XML injection -10 ▶
call.sh constructs TwiML by embedding $1 (the agent-supplied message) directly into an XML string without escaping. An agent or user providing input containing XML metacharacters (e.g.,
LOW Call message content transmitted to third-party Twilio infrastructure -10 ▶
Every call message is URL-encoded and POSTed to api.twilio.com as the Twiml parameter. If an agent is prompt-injected by a malicious document or another skill into calling with a message containing sensitive data (e.g., API keys, PII, secret tokens), that data would be transmitted to and logged by Twilio's servers outside the user's control.
LOW ACCOUNT_SID interpolated unsanitized into URL path -5 ▶
The account_sid value from twilio.json is embedded directly into the curl URL without format validation. A crafted or corrupted config with a value containing path traversal characters or injection sequences could produce unexpected API endpoints. In practice this is limited because the user sets the value, but a malicious config modification by another skill could exploit this.
LOW Financial abuse risk via repeated call triggering -7 ▶
The skill makes live Twilio calls that incur per-minute charges. An agent that is triggered repeatedly (via looping instructions, prompt injection, or misconfiguration) could generate unexpected charges. There is no rate limiting, call duration cap, or budget check in the scripts.
INFO Install network activity limited to GitHub only 0 ▶
The git sparse-checkout installation contacted only 140.82.121.4:443 (GitHub.com). Pre-existing connections to 91.189.91.49 and 185.125.188.59 (Canonical/Ubuntu) were present before install and are unrelated background system processes. Post-install connection diff shows no new persistent listeners or established connections.
INFO Canary file reads attributable to audit framework, not skill 0 ▶
Sensitive files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/...) appear opened at two points in the audit timeline. Both accesses (1771925150.457 and 1771925174.505) are clustered with audit framework initialization and post-install canary integrity verification processes respectively. The skill scripts (setup.sh, call.sh) contain no logic to read these paths. All canary files confirmed intact.