ElevenLabs Phone Reminder (Lite)

Security checks across malware telemetry and agentic risk

Overview

This is a transparent setup guide for AI phone reminders, but users must handle phone-call consent, billing, and API credentials carefully.

Install only if you are comfortable following a manual third-party setup guide. Use a dedicated or restricted Twilio setup where possible, protect API keys and auth tokens, avoid committing or logging secrets, monitor billing, and only place calls to recipients who have consented and where your use complies with applicable calling, disclosure, and recording rules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly guides users to place outbound AI phone calls but omits any warning about consent, privacy, caller-ID disclosure, recording rules, or jurisdiction-specific telemarketing/robocall restrictions. That omission materially increases the chance of unlawful or deceptive use, especially because the workflow is framed as easy and production-like.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guide instructs users to handle ElevenLabs and Twilio credentials directly in shell variables and later inject them into API requests without any warning about secret storage, logging exposure, shell history leakage, or rotation. If copied into insecure environments, these credentials could be stolen and abused to place calls, incur charges, or access account resources.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal