Telnyx Freemium Upgrade
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for upgrading Telnyx, but it can automatically start an account-upgrade flow and send a GitHub OAuth token to Telnyx, which is high-impact and needs explicit user review.
Install only if you are comfortable with an agent helping upgrade your Telnyx account and sharing GitHub or LinkedIn identity-verification data with Telnyx. Before use, require explicit approval for each upgrade attempt, review the GitHub scopes/token path, and inspect the referenced companion signup skill separately.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could submit an account-upgrade evaluation and potentially change the Telnyx account tier when it encounters a blocked operation.
The instructions allow the agent to initiate the upgrade workflow from detected errors and choose an automated verification path, rather than only acting after an explicit user upgrade request.
This skill triggers when the bot encounters a **freemium-blocked operation**... github_oauth NOT used → Try GitHub first (automated, no browser)
Require explicit user confirmation before any upgrade request, identity-verification submission, or account-tier change, and show the user what data will be sent.
A GitHub token from the user's local GitHub CLI session may be shared with Telnyx, potentially exposing profile and organization-access authority granted to that token.
The script submits a GitHub OAuth token to Telnyx for verification. This is related to the stated workflow, but it is high-impact credential handling beyond the primary Telnyx API key.
DEFAULT_API_BASE = "https://api.telnyx.com" ... url = f"{api_base}/v2/account/upgrade/github" ... data = {"github_token": github_token}Use this path only with informed consent, prefer an official scoped OAuth flow where possible, and use/revoke a least-privilege token if direct token submission is required.
Installing or using the companion skill could introduce additional account-creation or credential-handling behavior not reviewed here.
The skill references a separate companion skill for API-key generation/refresh, but that dependency is not included or pinned in the reviewed artifact set.
This skill depends on **telnyx-bot-signup** for API key generation and refresh... `clawhub install telnyx-bot-signup`
Review the companion skill separately and pin a trusted version before using it for API-key generation or refresh.
Local cached state can affect future upgrade decisions; if stale or modified, the agent may take the wrong next step.
The skill relies on a persistent local cache to decide whether to skip, retry, or change verification methods.
Read `~/.telnyx/upgrade.json`... decision: APPROVED → Skip evaluation entirely.
Treat the cache as advisory, confirm important states with Telnyx, and delete the cache if it becomes stale or untrusted.
A short-lived background process may continue polling GitHub while waiting for authorization.
The script starts a background GitHub auth-refresh process and records its PID, though it is bounded to the device-code authorization flow.
BROWSER=false gh auth refresh --scopes user,read:org 2>"$TMPFILE" & ... echo "$REFRESH_PID" > "$PID_FILE"
Run scope refresh only when the user is present, keep the timeout bounded, and ensure the PID file is cleaned up after completion or cancellation.