Telnyx Network

Private mesh networking and public IP exposure via Telnyx WireGuard infrastructure. Connect nodes securely or expose services to the internet.

What to consider before installing/using: - Review and verify the scripts yourself. They will: call Telnyx APIs, create/delete cloud resources, write WireGuard config files containing private keys (wg-<name>.conf), modify iptables, and (optionally) add a sudoers file to allow passwordless wg/wg-quick. - Missing declared dependencies: the SKILL metadata only lists 'wg' and TELNYX_API_KEY, but the scripts also require curl, python3, sudo, iptables (or nftables equivalent), ip/ifconfig, wg-quick, and (for some commands) the Telnyx CLI. Ensure these are acceptable and installed. - Sudoers change is high-impact. setup-sudoers.sh writes /etc/sudoers.d/wireguard-<user> to allow passwordless execution of wg/wg-quick. Only run this if you trust the code and understand that it lets processes run WireGuard commands without a password. - Secrets handling: WireGuard private keys and config.json are saved unencrypted in the skill directory. Treat the TELNYX_API_KEY with least privilege (create a scoped/revocable key if Telnyx supports it) and consider file permissions and where you run these scripts (use an isolated VM/container if unsure). - Autonomous invocation: the skill is invocable by the agent and not marked 'always', but if you enable passwordless sudo you effectively permit the agent to manage networking without interactive confirmation. If you do not want that, do not run setup-sudoers.sh; instead run privileged commands manually. - Network exposure: exposing ports and adding an Internet Gateway will make services reachable from the public internet. The scripts block a list of database/SSH ports by default, but you should double-check firewall rules and only expose what you intend. - Safe deployment suggestions: test in an isolated environment (VM/container), use a Telnyx API key with minimal scope, audit and possibly harden the scripts (encrypt private keys, restrict sudoers to exact command paths and arguments, ensure iptables rules are safe), and avoid enabling passwordless sudo if you cannot fully audit and trust the code. If you want, I can produce a checklist of exact lines to inspect/change in the scripts to harden them (e.g., restrict sudoers commands, secure file permissions, or avoid saving private keys to disk).

Type: OpenClaw Skill Name: telnyx-network Version: 1.0.0 The skill is classified as suspicious due to the `setup-sudoers.sh` script, which, as instructed in `SKILL.md`, grants passwordless sudo access to `wg` and `wg-quick` commands. This represents a significant privilege escalation for the OpenClaw agent, allowing it to autonomously manage WireGuard network interfaces with root privileges. While documented and intended for autonomous operation, this capability introduces a high-risk vulnerability if the agent or skill inputs are compromised. Additionally, the `join.sh` script directly executes `sudo wg-quick up <config_file>` to apply generated WireGuard configurations, and other scripts interact with external Telnyx APIs and Telnyx Storage, providing network and data storage capabilities that could be misused if exploited.