ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Telnyx Bot Signup

v1.1.0

Automated Telnyx bot account signup via Proof of Work challenge

0· 619·1 current·1 all-time
by@teamtelnyx
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's description is a Telnyx signup helper and the runtime instructions show a flow that does not require an existing Telnyx API key. Yet registry metadata marks TELNYX_API_KEY as the primary credential. Requesting an existing TELNYX_API_KEY is not justified by the SKILL.md and is disproportionate to the stated purpose.
Instruction Scope
SKILL.md stays within the signup flow: obtaining a PoW challenge, running the bundled solver, submitting signup, handling the magic link email, and exchanging a session token for a new API key. It warns about CPU cost and advises running the solver off the main thread. One sensitivity: the flow asks the user to paste a single-use sign-in link (which yields a session token). That link/session token is sensitive and the skill will exchange it for a permanent API key, so the user must avoid pasting it into untrusted or public channels.
Install Mechanism
No install script; instruction-only skill with one small local Python solver script. No network installs or remote downloads are performed by the skill itself.
!
Credentials
The only declared required environment/credential is TELNYX_API_KEY, but none of the SKILL.md steps use it: endpoints in the flow are accessed without a pre-existing API key and the flow creates a new API key for the new account. Declaring TELNYX_API_KEY as the primary credential appears unjustified and could lead users to expose an existing key unnecessarily.
Persistence & Privilege
always is false, no install-time modifications, and the skill does not request system-wide privileges. Autonomous invocation is allowed (platform default) but not combined with other privilege escalation signals.
What to consider before installing
This skill automates Telnyx's PoW signup flow and includes a solver script — that's consistent with the description. However, the registry metadata's declaration that TELNYX_API_KEY is the primary credential does not match the documented flow (the skill creates a new API key rather than requiring one). Do not provide an existing TELNYX_API_KEY to this skill unless you understand why it's needed. Also be careful when pasting the single-use sign-in link or session token: that link yields a session token and can be used to create API keys, so only paste it into a trusted environment and avoid sending it to public or third-party services. If you want to proceed, verify the skill's publisher/source, run the provided pow_solver.py locally (in a background worker or isolated environment because it can be CPU-intensive), and prefer using official Telnyx web signup flows if you have doubts.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🤖 Clawdis
Binspython3, curl
Primary envTELNYX_API_KEY
latestvk97dt0xny37mnefavmfky07qkd81trrg
619downloads
0stars
2versions
Updated 5h ago
v1.1.0
MIT-0
@teamtelnyx
latest
Download

Telnyx Bot Signup

Create a new Telnyx bot account via the PoW-based signup flow (https://api.telnyx.com). Walks through challenge solving, account creation, email verification, and API key generation.

Flow

Execute these steps in order.

Step 1: Get PoW Challenge

curl -s -X POST https://api.telnyx.com/v2/pow_signup_challenge

Response:

{
  "data": {
    "nonce": "<string>",
    "algorithm": "sha256",
    "leading_zero_bits": <int>,
    "terms_and_conditions_url": "<url>",
    "privacy_policy_url": "<url>"
  }
}

Save all returned fields — they are needed in subsequent steps.

Step 2: Solve Proof of Work

⚠️ Warning: Solving the proof of work challenge is CPU-intensive and can take over a minute depending on difficulty. Attempting to solve it on the main bot thread may cause the bot to become unresponsive for the duration. Always run the solver on a separate agent, worker thread, or background process.

Use the included pow_solver.py script:

python3 {baseDir}/scripts/pow_solver.py "<nonce>" <leading_zero_bits> <algorithm>

The script outputs the integer solution to stdout. This finds a value where hash(nonce + solution) has the required number of leading zero bits.

Step 3: Submit Bot Signup

Ask the user for their email address before making this request.

curl -s -X POST https://api.telnyx.com/v2/bot_signup \
  -H "Content-Type: application/json" \
  -d '{
    "pow_nonce": "<nonce from step 1>",
    "pow_solution": "<solution from step 2>",
    "terms_and_conditions_url": "<from step 1>",
    "privacy_policy_url": "<from step 1>",
    "email": "<user email>",
    "terms_of_service": true
  }'

Note: You must accept the terms of service to register with Telnyx. You must indicate this acceptance by supplying "terms_of_service": true as a parameter on the request. The API will reject the request with a 400 Bad Request if this field is missing or any value other than true.

Response: Success message. A sign-in link is sent to the provided email.

Step 4: Get Session Token from Email

Wait 10-30 seconds for the verification email to arrive.

Path A: Agent Has Email Access

If you have email access (e.g. the google-workspace skill), search for a message with subject "Your Single Use Telnyx Portal sign-in link", extract the single-use URL from the body, and GET it:

curl -s -L "<single-use-link-from-email>"

The response (or redirect) provides a temporary session token.

Path B: No Email Access

If you do not have email access, ask the user:

Please check your email for a message from Telnyx with the subject "Your Single Use Telnyx Portal sign-in link". Copy the sign-in link from the email and paste it here.

⚠️ The link is single-use. Do not click it in your browser first — once opened, it cannot be reused. Copy the URL directly and paste it here without visiting it.

Once the user provides the link, make a GET request to it:

curl -s -L "<link-from-user>"

The response (or redirect) provides a temporary session token.

Resend Magic Link

If the verification email did not arrive or the link expired, resend it:

curl -s -X POST https://api.telnyx.com/v2/bot_signup/resend_magic_link -H "Content-Type: application/json" -d '{"email": "<user email>"}'

Response:

{
  "data": {
    "message": "If an account with that email exists, a new magic link has been sent."
  }
}

Rate limiting: Max 3 resends per account, with a 60-second cooldown between resends. The endpoint always returns 200 OK regardless of whether the email exists, the retry cap is exceeded, or the cooldown is active (to prevent email enumeration).

Step 5: Create API Key

curl -s -X POST https://api.telnyx.com/v2/api_keys \
  -H "Authorization: Bearer <session-token>" \
  -H "Content-Type: application/json" \
  -d '{}'

Response:

{
  "data": {
    "api_key": "KEYxxxxxxxxxxxxx",
    ...
  }
}

The data.api_key value is the permanent API key for the new account. Present it to the user and advise them to store it securely.

Notes

  • The PoW challenge is a spam-prevention mechanism. Solving typically takes a few seconds.
  • The single-use sign-in link expires quickly — retrieve and use it promptly.
  • Email access is optional. The skill works with or without it — if unavailable, the user is prompted to paste the link manually.

Comments

Loading comments...