Twilio
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent following the guide could send real communications through a Twilio account, which may affect customers and incur charges.
The skill documents direct API calls that can send outbound SMS/MMS messages. This is central to the Twilio purpose, but the user should ensure recipient, content, opt-in, and cost implications are reviewed before any call is made.
Endpoint: `POST /2010-04-01/Accounts/{AccountSid}/Messages.json`Use explicit user approval for recipients, message content, and sending volume; enforce opt-in, regional compliance, and rate-limit handling.
If mishandled, Twilio credentials could be used to send messages, place calls, access communication resources, or incur account charges.
The skill requires Twilio account credentials. This is expected for the integration, and the artifacts recommend least-privilege keys and secret storage, but these credentials can authorize real account actions.
Required inputs - Account SID and Auth Token (or API Key/Secret).
Use least-privilege API keys instead of broad auth tokens where possible, store secrets in a vault, avoid pasting credentials into chat unless necessary, and rotate keys regularly.
Improper webhook validation or logging could expose message/call data or allow forged inbound events.
The skill includes webhook handling guidance for inbound Twilio requests. This is purpose-aligned and the artifact gives the correct validation direction, but webhook endpoints can carry sensitive communication metadata or message content.
Always validate webhook signatures before processing.
Implement Twilio signature validation exactly, use HTTPS webhook URLs, log only minimal identifiers, and treat inbound payloads as sensitive.