In this case, while these environment variables appear to be sensitive, they are ephemeral keys, uniquely issued to the Function as part of running within Lambda. Their associated actions and permissions have been reviewed, approved and are required to run the Function. There is no risk of any Twilio customer’s Function being accessed or modified by disclosure of these keys.
That said, we much appreciate the community raising potential concerns. If y’all ever see anything that looks like a vulnerability, we’d love for you to submit it to our Bug Bounty program: https://bugcrowd.com/twilio