Safety Report

Twilio

Name: Twilio
Rating: 3 (3 reviews)
Author: codedao12

Integrate Twilio APIs for SMS, WhatsApp, Voice, Verify, and more via direct HTTP requests with webhook validation and operational best practices.

1,366Downloads

7Installs

3Stars

2Versions

API Integration4,971 Networking & DNS1,102 Notifications & Alerts1,061

Security Analysis

high confidence

Suspicious

The skill content coherently documents Twilio APIs, but the runtime metadata omits the sensitive credentials it clearly requires and the skill has no identified source/homepage — exercise caution before providing keys.

Feb 11, 202615 files2 concerns

Purpose & Capabilityconcern

The SKILL.md and reference files clearly describe Twilio REST surfaces (Messaging, Voice, Verify, Conversations, SendGrid, etc.) which matches the skill name. However the metadata does not declare any required environment variables or primary credential even though the instructions explicitly state 'Account SID and Auth Token (or API Key/Secret)' are required. That mismatch is notable.

Instruction Scopeok

The instructions stay within Twilio-related activities (HTTP requests to Twilio/SendGrid endpoints, webhook validation, rate-limit and operational guidance). They do not request access to unrelated system files or unusual external endpoints. The SKILL.md encourages security best practices (validate webhook signatures, do not log credentials).

Install Mechanismok

This is an instruction-only skill with no install spec and no code files, so it does not write artifacts to disk or fetch remote code during install — low install risk.

Credentialsconcern

The skill requires sensitive secrets (Account SID/Auth Token or API Key/Secret, sender IDs, webhook URLs) per SKILL.md, but the registry metadata lists no required env vars or primary credential. The metadata fails to enumerate the credentials the skill will need at runtime; that omission reduces transparency and is a security concern. Additionally, SendGrid and Segment references imply additional credentials may be needed but are not declared.

Persistence & Privilegeok

always is false and the skill does not request persistent or elevated agent-wide privileges in the metadata. Normal autonomous invocation is allowed (disable-model-invocation is false), which is expected for skills; nothing requests modification of other skills or system configs.

Guidance

This skill appears to be a documentation/guide for Twilio APIs and does not install code, but it will require your Twilio credentials (Account SID/Auth Token or API Key/Secret) and possibly SendGrid/Segment keys to do real operations. The registry metadata does not list those environment variables — ask the publisher why required credentials are not declared and confirm the skill's source/homepage before providing secrets. If you proceed: use least-privilege API keys, store them in a vault, provide ephemeral or scoped keys for testing, rotate or revoke keys after use, and verify webhook URLs and validation logic yourself. If you need provenance, request a homepage or repository link and a publisher statement explaining how and when your credentials will be used.

Latest Release

v1.0.1

Expanded coverage to include additional core Twilio APIs and features. - Added references and guidance for Twilio Studio, Lookup, Proxy, Sync, TaskRouter, and Segment/Engage APIs. - Updated documentation to reflect broader API support beyond Messaging, WhatsApp, Voice, Conversations, Verify, and SendGrid. - Skill description and quick orientation now list new supported surfaces and workflow references.

More by @codedao12

15 stars

Agent Browser Core

14 stars

Auto Shorts Repurposer

5 stars

Facebook

4 stars

Messenger

4 stars

Google Sheets API

4 stars

Published by @codedao12 on ClawHub