Twilio
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only Twilio guide, but users should pay attention to credential handling and any outbound message, call, or email actions.
Before installing, be prepared to supply Twilio or SendGrid credentials only when needed, preferably as least-privilege API keys stored in a secure vault. Ensure the agent asks before sending messages, emails, calls, or verification requests, and confirm opt-in, regional compliance, webhook validation, and logging limits for any production workflow.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent following the guide could send real communications through a Twilio account, which may affect customers and incur charges.
The skill documents direct API calls that can send outbound SMS/MMS messages. This is central to the Twilio purpose, but the user should ensure recipient, content, opt-in, and cost implications are reviewed before any call is made.
Endpoint: `POST /2010-04-01/Accounts/{AccountSid}/Messages.json`Use explicit user approval for recipients, message content, and sending volume; enforce opt-in, regional compliance, and rate-limit handling.
If mishandled, Twilio credentials could be used to send messages, place calls, access communication resources, or incur account charges.
The skill requires Twilio account credentials. This is expected for the integration, and the artifacts recommend least-privilege keys and secret storage, but these credentials can authorize real account actions.
Required inputs - Account SID and Auth Token (or API Key/Secret).
Use least-privilege API keys instead of broad auth tokens where possible, store secrets in a vault, avoid pasting credentials into chat unless necessary, and rotate keys regularly.
Improper webhook validation or logging could expose message/call data or allow forged inbound events.
The skill includes webhook handling guidance for inbound Twilio requests. This is purpose-aligned and the artifact gives the correct validation direction, but webhook endpoints can carry sensitive communication metadata or message content.
Always validate webhook signatures before processing.
Implement Twilio signature validation exactly, use HTTPS webhook URLs, log only minimal identifiers, and treat inbound payloads as sensitive.