Elevenlabs Twilio Memory Bridge
WarnAudited by ClawScan on May 10, 2026.
Overview
The bridge is coherent for ElevenLabs/Twilio personalization, but it ships persistent prompt-memory features with weak default access boundaries and a highly personal default system prompt.
Before installing, replace soul_template.md, require signed webhooks, add authentication for memory/note APIs, restrict CORS, use HTTPS and scoped keys, pin dependencies, and define retention/deletion rules for caller memory.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed without replacing the template, the voice agent may behave as someone else’s personalized assistant and expose unrelated personal context to the model provider or callers.
The included default prompt template gives the agent a specific persona and named private context. The skill’s documented behavior is to inject this template into the system prompt.
Speaking via ElevenLabs Conversational AI to Richard... Health: TRT research, Mounjaro... **This is Allegra. Be her.**
Ship a neutral template by default, require users to explicitly configure their own prompt, and remove personal/family/health details from the packaged artifact.
A publicly exposed deployment without a secret may accept forged webhook calls, allowing unauthorized parties to trigger personalization behavior or probe memory-derived responses.
Webhook verification is disabled by default when no secret is set, and the service permits broad cross-origin access while being designed for public deployment.
if not WEBHOOK_SECRET: ... "skipping signature check" ... return True; allow_origins=["*"], allow_credentials=True, allow_methods=["*"], allow_headers=["*"]
Require WEBHOOK_SECRET for any public deployment, reject unsigned requests by default, restrict CORS to known origins, and add authentication to non-webhook API endpoints.
Incorrect or malicious notes could persistently steer the voice agent, and global notes can affect all callers. Stored caller facts may also contain sensitive personal information.
The artifacts expose persistent memory/note writes and state that the resulting context is injected into the system prompt, making stored text influential across future calls.
`/api/memory/{phone_hash}` | POST | Add long-term fact about a caller ... `/api/notes` | POST | Add global or caller-scoped context note ... returns everything as a system prompt overrideAuthenticate and authorize memory writes, separate factual memory from instructions, add validation/review, label untrusted context, and provide retention and deletion controls.
Users may not realize from registry metadata that provider credentials/configuration are needed before running the service.
The skill requires provider configuration and an ElevenLabs API key, while the registry metadata declares no required env vars or primary credential.
"required_env": [{ "key": "ELEVENLABS_API_KEY" }, { "key": "ELEVENLABS_AGENT_ID" }, { "key": "OPENCLAW_API_BASE_URL" }, { "key": "PUBLIC_BASE_URL" }]Document the exact credential scopes needed, keep API keys minimal and scoped, and align registry metadata with the manifest.
Future installs may pull newer dependency versions than the author tested.
Dependencies are installed from version ranges rather than pinned hashes or a lockfile. This is common for Python services but less reproducible.
fastapi>=0.109.0 uvicorn[standard]>=0.27.0 python-dotenv>=1.0.0 pydantic>=2.5.0
Use a lockfile or pinned dependency versions for production deployments.