Vapi

Security checks across malware telemetry and agentic risk

Overview

The skill is a mostly coherent Vapi connector, but it also exposes a sandboxed TypeScript execution action without enough top-level scoping or safety guidance.

Review this before installing if you do not need Vapi code-tool testing. If installed, use it only with a Vapi account you trust it to manage, confirm all write/delete payloads, and require explicit approval before running the TypeScript execution action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: This action explicitly enables execution of arbitrary TypeScript code in a sandbox, which materially expands the skill from Vapi data operations into general code execution. Even if sandboxed, arbitrary code execution can be abused for data exfiltration, unexpected network access, privilege misuse through connected integrations, or bypass of higher-level safety expectations about what the skill is allowed to do.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill metadata says it should be used for Vapi requests involving reading, creating, updating, and deleting data, but this file documents a code-execution primitive instead. That mismatch is dangerous because it can mislead users, reviewers, and calling agents into granting access under a narrower trust model than the skill actually provides, increasing the chance of unsafe invocation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal