Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- bin/vapi-api.mjs:9
Security audit
Security checks across malware telemetry and agentic risk
This skill does what it says: it helps an agent manage Vapi voice assistants and calls, with expected but important cautions around API keys, outbound calls, and the optional CLI installer.
Install this only if you want an agent to manage your Vapi account. Store VAPI_API_KEY in a secret manager, inspect or avoid the optional curl-to-bash CLI installer, leave VAPI_BASE_URL unset unless you trust the destination, and require explicit approval before creating assistants, changing phone or webhook settings, or starting outbound calls.
64/64 vendors flagged this skill as clean.
Detected: suspicious.env_credential_access