ClawHub

Telnyx Bot Signup

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for Telnyx signup, but it handles email sign-in links, terms acceptance, and permanent API key creation without enough explicit user confirmation.

Install only if you intentionally want an agent to create a Telnyx account for you. Before running it, review Telnyx terms yourself, confirm any mailbox access and magic-link use, ensure links are actually Telnyx links, and store the generated API key as a secret.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to access the user's mailbox and extract a single-use authentication link, which is highly sensitive authentication material. Without an explicit consent gate and a clear privacy warning that the agent may read email contents, this can normalize overbroad mailbox access and expose the user to unauthorized account access or privacy violations.

External Transmission

Medium
Category
Data Exfiltration
Content
**Ask the user for their email address** before making this request.

```bash
curl -s -X POST https://api.telnyx.com/v2/bot_signup \
  -H "Content-Type: application/json" \
  -d '{
    "pow_nonce": "<nonce from step 1>",
Confidence
84% confidence
Finding
https://api.telnyx.com/

External Transmission

Medium
Category
Data Exfiltration
Content
If the verification email did not arrive or the link expired, resend it:

```bash
curl -s -X POST https://api.telnyx.com/v2/bot_signup/resend_magic_link -H "Content-Type: application/json" -d '{"email": "<user email>"}'
```

**Response:**
Confidence
81% confidence
Finding
https://api.telnyx.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### Step 5: Create API Key

```bash
curl -s -X POST https://api.telnyx.com/v2/api_keys \
  -H "Authorization: Bearer <session-token>" \
  -H "Content-Type: application/json" \
  -d '{}'
Confidence
94% confidence
Finding
https://api.telnyx.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal