ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Twilio Comms

v1.0.0

Twilio SMS, Voice, WhatsApp, and Verify (2FA) — send messages, make calls, and run verification flows from the CLI.

0· 145·0 current·0 all-time
by@fr3kstyle

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for fr3kstyle/twilio-comms.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Twilio Comms" (fr3kstyle/twilio-comms) from ClawHub.
Skill page: https://clawhub.ai/fr3kstyle/twilio-comms
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install twilio-comms

ClawHub CLI

Package manager switcher

npx clawhub@latest install twilio-comms
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and included script implement the stated Twilio SMS/Voice/WhatsApp/Verify functionality. However the registry metadata lists no required environment variables or primary credential, while both SKILL.md and the script require TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN and TWILIO_FROM_NUMBER (and optionally TWILIO_VERIFY_SERVICE_SID). This metadata omission is an incoherence.
Instruction Scope
Runtime instructions and the script are narrowly scoped to calling Twilio APIs (api.twilio.com and verify.twilio.com) and formatting output. The script does not read arbitrary files, other credentials, or transmit data to third-party endpoints beyond Twilio. Commands and arguments are explicit.
Install Mechanism
There is no install spec (instruction-only usage) and the included code is a plain Python script that uses requests. No downloads from third-party URLs, no archive extraction, and no package managers are invoked — low installation risk. Note: the script will be executed from its path (scripts/twilio_comms.py).
!
Credentials
The script legitimately requires sensitive Twilio credentials (account SID and auth token) and a sender number, but the skill metadata does not declare these env vars or a primary credential. That mismatch is problematic because users may not realize they must provide secrets, and the owner is unknown. The number and type of env vars requested by the code are otherwise proportionate to the stated purpose.
Persistence & Privilege
The skill is not marked always:true, does not request persistence, and does not alter other skills or system-wide configuration. Model invocation is allowed (default) which is normal for user-invocable skills.
What to consider before installing
This package appears to implement a legitimate Twilio CLI, but take these precautions before installing or supplying credentials: - Confirm the source: the owner and homepage are unknown. Prefer packages from a known author or official repo. - Metadata mismatch: the registry did not declare required env vars even though SKILL.md and the script require TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN, and TWILIO_FROM_NUMBER. Don't assume the registry listing is complete. - Limit exposure of credentials: use a Twilio API Key/Secret or a dedicated subaccount with minimal permissions and test credits, not your primary production account SID/token. Rotate keys after testing. - Review the script locally: the code is short and readable; inspect it yourself and run it in an isolated environment before providing real credentials. - Understand risk: these credentials can send messages and place calls (which can incur charges and leak information). Only provide them to trusted code and consider running on a machine/account with restricted network and billing limits. If the package maintainer/registry entry is updated to declare required env vars and provide a verifiable homepage or source repository, and you can verify the script contents match that source, the concerns would be reduced.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f4s19mgmh2ja7amwn3b99v183bsrf
145downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@fr3kstyle
latest
Download

Twilio Comms

Automate SMS, voice calls, WhatsApp messaging, and two-factor authentication flows via the Twilio API. Send and track messages, place and monitor outbound calls, send WhatsApp templates or free-form messages, and run complete Verify 2FA flows — all from a single Python CLI tool.

Setup

export TWILIO_ACCOUNT_SID="ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
export TWILIO_AUTH_TOKEN="your_auth_token_here"
export TWILIO_FROM_NUMBER="+15550001234"        # your Twilio number
export TWILIO_VERIFY_SERVICE_SID="VAxx..."      # optional, for Verify/2FA

Get credentials: console.twilio.com → Account Info.

Commands / Usage

# ── SMS ─────────────────────────────────────────────────
# Send an SMS
python3 scripts/twilio_comms.py sms-send --to "+61400000000" --body "Hello from Twilio!"
python3 scripts/twilio_comms.py sms-send --to "+61400000000" --body "Custom sender" --from "+15550001234"

# List recent messages
python3 scripts/twilio_comms.py sms-list
python3 scripts/twilio_comms.py sms-list --limit 50 --to "+61400000000"

# Get delivery status of a message
python3 scripts/twilio_comms.py sms-status --sid "SMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

# ── VOICE ───────────────────────────────────────────────
# Make an outbound call (plays TwiML message)
python3 scripts/twilio_comms.py call-make --to "+61400000000" --message "Hello, this is an automated call."
python3 scripts/twilio_comms.py call-make --to "+61400000000" --twiml-url "https://demo.twilio.com/docs/voice.xml"

# List recent calls
python3 scripts/twilio_comms.py call-list
python3 scripts/twilio_comms.py call-list --limit 25 --status completed

# Get call details and status
python3 scripts/twilio_comms.py call-status --sid "CAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

# Get call recordings
python3 scripts/twilio_comms.py call-recordings --call-sid "CAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

# ── WHATSAPP ────────────────────────────────────────────
# Send a free-form WhatsApp message (within 24h session window)
python3 scripts/twilio_comms.py wa-send --to "+61400000000" --body "Hi from WhatsApp via Twilio!"

# Send a template message (outside 24h window)
python3 scripts/twilio_comms.py wa-template --to "+61400000000" --template "Your appointment is confirmed for {{1}}." --params "Monday 3pm"

# ── VERIFY / 2FA ────────────────────────────────────────
# Send a verification code (SMS or call)
python3 scripts/twilio_comms.py verify-send --to "+61400000000"
python3 scripts/twilio_comms.py verify-send --to "+61400000000" --channel voice

# Check/verify the code
python3 scripts/twilio_comms.py verify-check --to "+61400000000" --code "123456"

Requirements

  • Python 3.8+
  • requests (pip install requests)
  • Environment variables: TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN, TWILIO_FROM_NUMBER
  • Optional: TWILIO_VERIFY_SERVICE_SID for Verify/2FA commands

Comments

Loading comments...