Voice Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed voice input/output client that talks to a local backend and uses AWS Polly for speech generation, with privacy and file-path cautions but no evidence of hidden or malicious behavior.

Install this only if you trust the separate backend you run on localhost:8000. Use deliberate audio input files and safe output paths, and avoid synthesizing secrets, regulated data, or private messages unless you are comfortable with the backend and AWS Polly handling that text.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill states it uses AWS Polly for text-to-speech but does not clearly warn users that response text may be transmitted to a third-party cloud provider. In a voice workflow, users may assume processing is fully local because transcription is described as local Whisper and the backend runs on localhost, making the omission more misleading and increasing privacy risk for sensitive content.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal