Back to skill
Skillv1.0.0
ClawScan security
Telnyx Freemium Upgrade · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 19, 2026, 7:36 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's files and instructions line up with its stated purpose (upgrading a Telnyx account using GitHub or LinkedIn verification), but it handles sensitive tokens (GitHub token, Telnyx API key) and writes local cache files — review before use.
- Guidance
- This skill is internally consistent with its stated purpose, but it handles sensitive credentials in ways you should explicitly accept before installing: it will read or derive your Telnyx API key (env var or ~/.config/telnyx/config.json), use the local GitHub CLI to obtain your GitHub token (get-gh-token.sh / gh auth token), and send that token to Telnyx API endpoints to verify identity. If you do not trust the skill's author or Telnyx endpoints, do not install or run it. Recommended precautions: 1) Review the included scripts locally (they are bundled in the skill) to confirm behavior; 2) Only run on a machine you control; 3) Use least-privileged GitHub credentials (or prefer the LinkedIn browser flow) and do not reuse high-privilege personal tokens; 4) Be aware the skill writes ~/.telnyx/upgrade.json and a gh-refresh PID file; 5) Because the skill's source/homepage is unknown, consider running the scripts manually under supervision rather than granting autonomous agent execution.
Review Dimensions
- Purpose & Capability
- okThe skill claims to upgrade Telnyx accounts and requires a TELNYX_API_KEY plus the gh CLI and python3 to perform GitHub-based or LinkedIn-based verification. The included scripts (check-gh-auth, get-gh-token, refresh-gh-scopes, wait-for-auth, and the evaluator) match that purpose.
- Instruction Scope
- noteInstructions explicitly read local files (~/.telnyx/upgrade.json and ~/.config/telnyx/config.json), use the local GitHub CLI to obtain the user's GitHub token, and submit that token or a LinkedIn OAuth flow to Telnyx API endpoints. This behavior is coherent with account verification, but it involves exfiltrating the GitHub token to the remote Telnyx API and polling remote status — the user must consent to that.
- Install Mechanism
- okNo install spec — scripts are packaged with the skill and executed as-needed. Nothing is downloaded from external URLs and no packages are auto-installed by the skill, which minimizes supply-chain risk.
- Credentials
- noteOnly TELNYX_API_KEY is declared as the primary credential. The code also relies on the gh CLI to surface a GitHub token (via gh auth token) and will read ~/.config/telnyx/config.json for an API key fallback. Requesting the Telnyx API key and using the local gh token are proportionate for verification, but both are sensitive and the skill will transmit the GitHub token to Telnyx endpoints.
- Persistence & Privilege
- okalways is false. The skill writes per-user cache/state to ~/.telnyx/upgrade.json and a PID file under ~/.telnyx for the device-code flow; this is contained to the user's home directory and consistent with its functionality.