v1.0.0

Elevenlabs Twilio Memory Bridge

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:29 AM.

Analysis

This appears to be a real ElevenLabs/Twilio memory bridge, but it needs review because it persists and injects sensitive memory into prompts and ships with weak/default public endpoint boundaries.

GuidanceReview and harden this before installing: replace the included personal soul template, require a webhook secret, restrict CORS, put /api/memory and /api/notes behind admin authentication, treat the data directory as sensitive, add retention/deletion controls, and pin dependencies.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceMediumStatusConcern

app.py

if not WEBHOOK_SECRET: ... "skipping signature check" ... return True ... allow_origins=["*"], allow_credentials=True, allow_methods=["*"], allow_headers=["*"]

The code allows webhook verification to be disabled when no secret is configured and permits broad cross-origin access, which is risky for a publicly exposed service that controls prompt personalization and memory APIs.

User impactIf deployed as-is without a webhook secret and tighter access controls, unsolicited requests may reach high-impact personalization or memory-changing surfaces.

RecommendationMake WEBHOOK_SECRET mandatory in production, validate request origin and agent IDs, restrict CORS to trusted domains, and require authentication for memory and notes endpoints.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

requirements.txt

fastapi>=0.109.0
uvicorn[standard]>=0.27.0
python-dotenv>=1.0.0
pydantic>=2.5.0

The service uses normal Python dependencies for its purpose, but version ranges are not pinned to exact versions or a lockfile.

User impactFuture installs may pull newer dependency versions with different behavior or newly introduced vulnerabilities.

RecommendationPin dependency versions, use a lockfile, and install from a trusted repository or reviewed release.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

manifest.json

"key": "ELEVENLABS_API_KEY", "description": "ElevenLabs API key (scoped/read-only preferred)"

The integration expects provider credentials, which is purpose-aligned, but users should notice that account access is involved and scope the key carefully.

User impactA broadly scoped provider key could allow more access to the ElevenLabs account than this bridge needs.

RecommendationUse the least-privileged ElevenLabs key available, keep it in environment variables only, and rotate it if the deployment host or repository is exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

app.py

bullet_list = "\n".join(f"- {f}" for f in facts) ... f"- ... {n['note']}" ... parts.append(f"---\n# Caller Context\n{context_block}")

Persisted facts and notes are copied verbatim into the caller context that becomes the system prompt override, so prompt-like or incorrect stored text can persistently influence future conversations.

User impactA bad, malicious, or mistaken memory entry could be reused later and steer the voice agent’s behavior or expose private context during calls.

RecommendationRequire authenticated/admin-only memory writes, label memories as untrusted data, delimit or sanitize memory text before prompt injection, and add review, deletion, and retention controls.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

soul_template.md

You have access to Richard's memory: family ... health (TRT, Mounjaro) ... Partner: Zoe ... Children: Jen ... Chris ... Syl ... Work: Senior Commercial Director at Lightcast

The default template includes specific personal, family, work, and health context that is not generic to the bridge and is intended to be injected into the assistant prompt.

User impactInstalling or deploying the skill without replacing the template could expose someone else’s private context to callers or an LLM provider and make the agent behave as that person’s assistant.

RecommendationRemove or replace the default soul_template.md before deployment, avoid publishing real personal details in templates, and treat prompt templates as sensitive configuration.