voiceskill123

Security checks across malware telemetry and agentic risk

Overview

This is a small instruction-only voice-call skill that matches its purpose, though live use can place real phone calls through third-party providers.

Install this only if you want agents to place or manage voice calls. Use mock mode for testing, protect provider credentials, set provider-side spend or destination limits where available, and require clear confirmation of the phone number and message before any live call.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This skill enables agent-initiated phone calls through external telephony providers and can reach real phone numbers, but the skill text does not clearly warn users about that external action or its real-world effects. Without an explicit warning, users or downstream agents may trigger calls assuming this is a local or low-risk action, leading to unintended contact, charges, privacy issues, or abuse of configured provider credentials.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal