telephony

Enables Hermes to manage phone capabilities, including SMS, MMS, and AI-driven calls using Twilio and Bland.ai.

Install this skill

or

15/100

Security score

The telephony skill was audited on May 17, 2026 and we found 25 security issues across 3 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 24

Webhook reference - potential data exfiltration

SourceSKILL.md

24	- poll inbound SMS for that number with no webhook server required

medium line 39

Webhook reference - potential data exfiltration

SourceSKILL.md

39	It does not turn Hermes into a real-time inbound phone gateway. Inbound SMS is handled by polling the Twilio REST API. That is enough for many workflows, including notifications and some one-time-

medium line 63

Webhook reference - potential data exfiltration

SourceSKILL.md

63	- cleanest future path to inbound webhooks or call handling

medium line 267

Webhook reference - potential data exfiltration

SourceSKILL.md

267	### C. Check inbound texts later with no webhook server

medium line 323

Webhook reference - potential data exfiltration

SourceSKILL.md

323	- Hermes STT/TTS alone is not being used here as a full duplex phone conversation engine; that would require a much heavier streaming/webhook integration than this skill is trying to introduce

medium line 386

Webhook reference - potential data exfiltration

SourceSKILL.md

386	- webhook-based live SMS push into the agent loop

medium line 20

Access to hidden dotfiles in home directory

SourceSKILL.md

20	- save provider credentials into `~/.hermes/.env`

medium line 107

Access to hidden dotfiles in home directory

SourceSKILL.md

107	### `~/.hermes/.env`

medium line 118

Access to hidden dotfiles in home directory

SourceSKILL.md

118	### `~/.hermes/telephony_state.json`

low line 133

Access to hidden dotfiles in home directory

SourceSKILL.md

133	SCRIPT="$(find ~/.hermes/skills -path '*/telephony/scripts/telephony.py' -print -quit)"

medium line 244

Access to hidden dotfiles in home directory

SourceSKILL.md

244	3. Buy it and save it into `~/.hermes/.env` + state:

medium line 406

Access to hidden dotfiles in home directory

SourceSKILL.md

406	3. persist that number to `~/.hermes/.env`

medium line 20

Access to .env file

SourceSKILL.md

20	- save provider credentials into `~/.hermes/.env`

medium line 107

Access to .env file

SourceSKILL.md

107	### `~/.hermes/.env`

medium line 244

Access to .env file

SourceSKILL.md

244	3. Buy it and save it into `~/.hermes/.env` + state:

medium line 406

Access to .env file

SourceSKILL.md

406	3. persist that number to `~/.hermes/.env`

low line 152

External URL reference

SourceSKILL.md

152	- https://www.twilio.com/try-twilio

low line 189

External URL reference

SourceSKILL.md

189	- https://app.bland.ai

low line 200

External URL reference

SourceSKILL.md

200	- https://dashboard.vapi.ai

low line 264

External URL reference

SourceSKILL.md

264	python3 "$SCRIPT" twilio-send-sms "+15551230000" "Here is the chart." --media-url "https://example.com/chart.png"

low line 301

External URL reference

SourceSKILL.md

301	python3 "$SCRIPT" twilio-call "+155****0000" --audio-url "https://example.com/briefing.mp3"

low line 414

External URL reference

SourceSKILL.md

414	- Twilio phone numbers: https://www.twilio.com/docs/phone-numbers/api

low line 415

External URL reference

SourceSKILL.md

415	- Twilio messaging: https://www.twilio.com/docs/messaging/api/message-resource

low line 416

External URL reference

SourceSKILL.md

416	- Twilio voice: https://www.twilio.com/docs/voice/api/call-resource

low line 418

External URL reference

SourceSKILL.md

418	- Bland.ai: https://app.bland.ai/

Scanned on May 17, 2026

View Security Dashboard

Installation guide →

GitHub Stars 153.5K

Rate this skill

Categorysales

UpdatedMay 20, 2026

api customer-success-manager sdr sales-operations business-development technical-support twilio sales support

NousResearch/hermes-agent