Telnyx Cli
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Telnyx integration, but it gives the agent broad account-changing authority and automatic companion-skill handoffs for sign-in, API-key creation, and upgrades without clear confirmation boundaries.
Only install this if you are comfortable giving Clawdbot access to your Telnyx account. Before use, review the companion signup and upgrade skills, verify the Telnyx CLI package, and require explicit confirmation for API-key creation, message sending, phone-number purchases/releases, and upgrades.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could obtain and persist a Telnyx API key with broad account authority after a minimal prompt, which may let it send messages, view account data, or change paid resources.
The skill directs the agent to initiate account sign-in or account creation and generate a fresh API key through a companion flow after obtaining only an email, without requiring an explicit user choice between signup, signin, or key refresh.
Do NOT ask whether the user has an account or not... just ask for their email and proceed. ... session token → POST /v2/api_keys → fresh API key.
Require explicit user confirmation before signup/signin, API-key creation, key refresh, or key storage; clearly state what account permissions the key grants and how to revoke it.
Sensitive information such as email address, account session state, API keys, or GitHub identity-verification data may be handled by other skills the user has not reviewed.
The skill routes account lifecycle, API-key generation, and identity-verification work to companion skills automatically, but those companion skills and their data boundaries are not included in the reviewed artifacts.
When used through Clawdbot, handoffs happen automatically: - No API key? → telnyx-bot-signup creates one ... - Freemium wall? → telnyx-freemium-upgrade initiates GitHub-based identity verification
Review the companion skills separately and require explicit approval before any handoff that shares identity data, creates credentials, or initiates an upgrade.
Mistaken or overbroad agent actions could send unwanted messages, incur costs, buy phone numbers, release existing numbers, or retry webhook events unexpectedly.
The documented CLI commands include high-impact external communications and billing/account mutations, but the artifacts do not define confirmation, dry-run, recipient validation, spending limits, or rollback guidance.
`telnyx message send` | Send SMS/email/WhatsApp ... `telnyx number buy` | Purchase a number ... `telnyx number release` | Release a number
Require explicit user approval for message sends, bulk messaging, number purchases/releases, webhook retries, and other account-changing actions; prefer list/search/status commands before mutation.
Installing a global CLI package expands the local environment and depends on the integrity of the npm package being installed.
The setup script installs an unpinned global npm package. This is expected for a Telnyx CLI skill, but it relies on npm package provenance and global installation behavior.
npm install -g @telnyx/api-cli
Verify the package is the official Telnyx CLI, consider pinning a known-good version, and install it in a controlled environment where possible.