Elevenlabs Voice Agent

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is coherent for setting up ElevenLabs voice agents with Twilio, but users should handle Twilio credentials and live phone routing carefully.

Before installing, treat the Twilio Auth Token as a secret: do not paste it into chats unnecessarily, commit it to files, or include it in logs or screenshots. Confirm any agent creation, update, or phone-number connection before running it, monitor active call routing, and disable or disconnect agents and numbers when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill tells users to obtain and use a Twilio Account SID and Auth Token but provides no warning that these are sensitive secrets requiring secure storage and careful handling. In a skill focused on telephony setup and external service integration, omission of credential-handling guidance increases the chance users expose tokens in prompts, logs, screenshots, or source files, enabling account takeover or abuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal