Back to skill

Security audit

voiceskill

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it lets an agent place real phone calls without enough built-in guidance about consent, costs, or provider data handling.

Review before installing with real Twilio, Telnyx, or Plivo credentials. Prefer mock mode for testing, require explicit approval for each real call, restrict allowed destination numbers, and assume call content and metadata may be handled or retained by the configured telephony provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill enables agent-initiated voice calls through external providers such as Twilio, Telnyx, and Plivo, but the documentation does not warn users that phone numbers, call metadata, and call content may be transmitted to third-party telephony services. This omission can lead to uninformed use of the skill in sensitive contexts, increasing privacy, compliance, and consent risks when agents place calls on a user's behalf.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal