Back to skill

Security audit

Hume EVI + LangGraph Integration

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Hume/Twilio/LangGraph guide, but it includes insecure credential handling and under-scoped privacy guidance for call transcripts and emotion data.

Review before production use. Do not copy the API-key-in-URL pattern unless you have confirmed it is required for your setup; use least-privilege keys, avoid logging full webhook URLs, rotate exposed keys, validate webhooks, and set explicit consent, retention, encryption, deletion, and access-control rules for transcripts and emotion data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly describes fetching call transcripts and emotion data from Hume without any mention of user notice, consent, retention controls, or privacy safeguards. Because this is a voice-call integration handling highly sensitive conversational and affective data, the omission creates a real privacy and compliance risk even if the network calls themselves are expected for the feature.

External Transmission

Medium
Category
Data Exfiltration
Content
twiml = f'''<?xml version="1.0" encoding="UTF-8"?>
<Response>
    <Say voice="Polly.Matthew">Connecting now.</Say>
    <Redirect>https://api.hume.ai/v0/evi/twilio?config_id={config_id}&amp;api_key={api_key}</Redirect>
</Response>'''
```
Confidence
98% confidence
Finding
https://api.hume.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
# Step 2: Fetch events via chat_group
events_resp = httpx.get(
    f"https://api.hume.ai/v0/evi/chat_groups/{chat_group_id}/events",
    headers=headers, params={"page_size": 100}
)
events = events_resp.json().get("events_page", [])
Confidence
82% confidence
Finding
https://api.hume.ai/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal