Security audit

voip-manager

Security checks across malware telemetry and agentic risk

Overview

This is a sparse but coherent VoIP skill with expected API-key use and no hidden code or malicious behavior shown.

Install only if you know which VoIP provider and script you intend to use. Use a dedicated least-privilege API key, keep it out of prompts and logs, and require confirmation before placing, ending, forwarding, recording, or otherwise changing calls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill's activation guidance is broad enough that an agent may invoke it for loosely related 'voice' or 'communication' tasks without clear user intent or scope checks. Because this skill can trigger external VoIP operations, ambiguous routing increases the chance of unintended calls or actions being performed in the real world.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation instructs use of a VoIP API key and describes external VoIP operations, but it does not warn users that the skill may interact with third-party services, consume paid resources, or initiate communications. This omission can lead to unsafe deployment, accidental credential misuse, and unanticipated external actions with financial and privacy consequences.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal