Elderly Voice Assistant

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent elderly voice assistant, but it can monitor inactivity and notify family without clear opt-in, recipient, or disable controls.

Install only after the elderly user and any caregiver understand and agree to audio processing, voice-triggered messaging, and inactivity alerts. Before real use, make family notifications opt-in, set approved recipients and thresholds, add a simple pause/disable control, and require confirmation before sending messages.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The proactive inactivity check can notify family members after 24 hours without user interaction, creating a behavioral-monitoring channel that goes beyond ordinary voice-assistant actions. For an elderly-focused assistant, this can expose presence, routines, or possible absence without explicit consent, making the privacy impact contextually significant.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The description advertises notifying family during inactivity but does not warn users that the assistant monitors usage patterns and may disclose them to third parties. This is a privacy-design issue because users may not expect passive monitoring and escalation from a tool framed as a simple voice assistant.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal