LiveKit Voice AI

Security checks across malware telemetry and agentic risk

Overview

This skill is a normal LiveKit voice-agent guide, with a caution that its phone-call example can contact real numbers if copied into a working project.

Before using this skill, protect API keys, review LiveKit and provider billing/privacy terms, and add safeguards before enabling outbound calls: use test numbers first, require explicit authorization and consent, restrict allowed destinations, rate-limit call creation, and keep audit logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill documents code for placing outbound SIP calls to a real phone number but provides no warning about the real-world effect, consent requirements, cost, or abuse potential. In a voice-agent skill, this increases the chance that a user will copy and run telephony functionality that can contact external parties, incur charges, or violate policy/law if used without safeguards.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal