Voice Agent Pro

Security checks across malware telemetry and agentic risk

Overview

This is an openly described voice-cloning and calling skill, but it needs Review because it can automate calls in a cloned voice while under-specifying consent, disclosure, credential handling, and data retention.

Install only after adding operational safeguards. Use only voice samples with documented permission, disclose AI/synthetic voice use at the start of calls and voicemails, confirm legal permission for outbound calls and SMS, keep suppression/opt-out lists, and avoid enabling cron or cross-skill call triggers until approval rules are clear. Store credentials in a secret manager or locked-down environment, review what text and audio are sent to ElevenLabs/Twilio/Telegram, and define retention/deletion rules for samples, generated audio, transcripts, lead data, and cloned voices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (11)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README states that the agent 'retrieves automatically' API-related identifiers and creates service-side resources, but it does not warn users to treat these values as secrets or constrain how they are stored, displayed, or shared. In an agentic environment, ambiguous handling of credentials increases the chance of secret exposure through logs, chat output, screenshots, or unsafe persistence, which can lead to unauthorized use of ElevenLabs, Telegram, or Twilio resources.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The README promotes voice cloning from uploaded samples without any warning about consent, impersonation, biometric privacy, or jurisdiction-specific legal restrictions. Because cloned voice data is highly sensitive and can enable convincing fraud or unauthorized impersonation, omitting these safeguards materially increases misuse risk, especially in a tool explicitly designed to act in the principal's voice.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The README advertises automated inbound and outbound calling, lead qualification, and booking behavior without any compliance warning about consent, call recording, caller identification, TCPA/Do-Not-Call rules, or regional telecom laws. In practice, this can facilitate unlawful robocalling, deceptive AI interactions, and unconsented recording at scale, creating legal, financial, and reputational harm for users and call recipients.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill describes storing transcripts, lead scores, and call outcomes for inbound and outbound calls, but provides only minimal consent language and no concrete compliance controls for recording, retention, or jurisdiction-specific notice requirements. In a voice-cloning and telephony context, this is dangerous because it can lead to unlawful recording, privacy violations, and misuse of highly sensitive conversational data at scale.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs users to place API keys, Twilio credentials, and Telegram tokens into environment files and config.json without any safeguards around secret storage, redaction, file permissions, or accidental logging. This is risky because these credentials enable third-party account access and could be exposed through workspace files, audits, backups, or other skills with filesystem access.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The prompt directs the agent to send SMS messages and resources after a call, but it does not require the caller's consent, disclosure of messaging/data use, or any privacy/compliance guardrails. In a voice-calling skill integrated with Twilio and lead handling, this can lead to unsolicited outreach, use of personal contact data without clear notice, and regulatory exposure under telecom and privacy rules.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The voicemail script references prior user actions and outreach history ('I noticed you [ACTION THEY TOOK]' and 'reply to the email I sent you') without any requirement that such data be lawfully collected, accurate, or appropriate to use in automated calling. In this skill's context of cloned voice and automated outbound calls, that increases the risk of privacy-invasive personalization, misleading contact, and misuse of lead data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guide tells users to persist sensitive credentials and identifiers into .env/config files without any warning about file permissions, rotation, exclusion from logs/backups, or avoiding accidental commits. In an agent/container environment, these files are often broadly readable, copied into backups, or exposed through debugging workflows, increasing the chance of credential leakage.

Missing User Warnings

High

Confidence: 98% confidence
Finding: This section instructs users to upload local voice samples to an external voice-cloning service but provides no warning about consent, biometric privacy, retention, or legal/compliance implications. Because the skill is specifically designed to clone a principal's voice for autonomous outbound/inbound calling, omission of consent safeguards materially increases the risk of deceptive impersonation and privacy violations.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The call-listing command prints full phone numbers and lead metadata to stdout without masking or role checks. In shared terminals, logs, CI runs, or agent transcripts, this can expose sensitive personal data and increase privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The TTS function transmits provided text to ElevenLabs, which may include confidential scripts, customer data, or regulated content, without an explicit disclosure or consent boundary at the point of use. In an agent skill context, users may assume local processing and unintentionally send sensitive data to a third party.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal