Back to skill

Security audit

send-ai-voice-message-via-sms

Security checks across malware telemetry and agentic risk

Overview

This is a clearly described SMS voice-notification skill with no executable code, installer, persistence, or hidden local access.

Install only if you intend to send voice-message links by SMS. Before using it, verify the recipient number, confirm the recipient consented to receive the message, review the generated text and audio link, and understand any SMS/TTS costs or retention of hosted audio links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill description and workflow indicate that it can generate personalized content, convert it to speech, and send an SMS with an external audio link, but they do not clearly warn the operator that this performs outbound communication to a phone number. That omission increases the risk of unintended disclosure of personal or sensitive information, accidental messaging of third parties, and misuse in spam or social-engineering contexts because users may invoke the skill without appreciating that it triggers real-world external delivery.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.