Voice.Ai Voice Agents
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears aligned with managing Voice.ai agents, but it requires a Voice.ai API key and can create, deploy, update, and delete account resources.
This skill is reasonable for Voice.ai agent management. Before installing, be sure you trust the publisher, use a scoped Voice.ai API key, and carefully confirm any create/update/deploy/delete requests, especially for production agents or MCP-connected tools.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken command could change or remove a Voice.ai agent or deploy it for calls.
The CLI exposes account-mutating operations, including deploying and deleting agents. This matches the skill purpose, but users should treat these commands as high-impact.
Commands:\n create Create a new agent\n list List all agents\n get Get agent details\n update Update an agent\n deploy Deploy an agent for calls\n pause Pause an agent\n delete Delete an agent
Use specific agent IDs, review update/deploy/delete requests carefully, and consider adding a manual confirmation step for destructive actions.
Anyone or any agent process with this API key may be able to manage Voice.ai resources permitted by that key.
The skill requires a Voice.ai API key to act on the user's account. This is expected for the integration and is not shown being leaked or reused elsewhere.
const apiKey = process.env.VOICE_AI_API_KEY;\nif (!apiKey) {\n console.error('Error: VOICE_AI_API_KEY environment variable is required');Use the least-privileged Voice.ai key available, keep it out of chat logs and repositories, and rotate it if exposed.
A deployed voice agent connected to external MCP tools could expose data to, or trigger actions through, those tools depending on configuration.
The skill can configure Voice.ai agents to use MCP-connected external tools. This is disclosed and purpose-aligned, but MCP connections can extend what deployed voice agents may access or do.
- **MCP Integration** - Connect agents to external tools via MCP
Only connect trusted MCP servers, limit their permissions, and review any credentials or custom headers before adding them.
Incorrect or sensitive knowledge base content could be reused by Voice.ai agents in later calls.
The skill supports persistent knowledge bases used by agents. This is expected for RAG-style voice agents, but stored knowledge can influence future agent responses.
- **Knowledge Base** - RAG-powered agents with custom knowledge
Review knowledge base contents before connecting them to deployed agents, and avoid adding secrets or private data unless intended.
Users have less external provenance information for verifying the publisher or code history.
The registry metadata does not provide a source repository or homepage. The included files are readable and no suspicious static findings were reported, but provenance is limited.
Source: unknown\nHomepage: none
Install only if you trust the publisher and review the included code before giving it a real API key.