Trust Assessment
phone-voice received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 0 high, 1 medium, and 1 low severity. Key findings include Direct injection of user-controlled transcripts into LLM system prompt, Potential command injection via `gog CLI` for calendar events, Hardcoded default for sensitive VOICE_PIN in documentation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 61/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Direct injection of user-controlled transcripts into LLM system prompt The skill explicitly states that 'Recent call transcripts' are 'All injected into the system prompt before Claude sees the conversation.' Call transcripts contain user utterances. A malicious caller can craft input during a conversation that, when saved to a transcript and subsequently injected into the system prompt, can manipulate the underlying Anthropic Claude LLM. This allows for prompt injection attacks, potentially leading to unauthorized actions, data exfiltration, or model manipulation. Implement robust sanitization and separation of user-generated content before injecting it into the LLM's system prompt. Consider using a dedicated 'user' role for raw user input and a 'system' role for trusted instructions. Ensure that historical conversation turns are clearly delineated and not treated as part of the system's core instructions. Review and sanitize `MEMORY.md` and `USER.md` if their content can be influenced by untrusted sources. | LLM | SKILL.md:151 | |
| MEDIUM | Potential command injection via `gog CLI` for calendar events The skill mentions 'Calendar events (optional, via gog CLI)' as a source of 'Live data injection.' If the bridge server constructs and executes shell commands to interact with the `gog CLI` tool, and any part of the command arguments are derived from untrusted user input (e.g., a user asking for events on a specific, user-provided date), it could lead to arbitrary command execution on the host system. The bridge server is exposed to the internet via Cloudflare/ngrok, increasing the severity of this potential vulnerability. If `gog CLI` is invoked via `subprocess` or similar, ensure that all arguments passed to it are strictly validated and sanitized. Avoid constructing shell commands directly with user input. Prefer using `subprocess.run()` with `shell=False` and passing arguments as a list. If user input is required for arguments, use a whitelist or strict regex validation. | LLM | SKILL.md:149 | |
| LOW | Hardcoded default for sensitive VOICE_PIN in documentation The documentation provides an example of a `VOICE_PIN` with a hardcoded, weak default value ('banana'). Although it instructs the user to 'Set in .env', the presence of such a default in the documentation could lead users to deploy with insecure configurations if they don't explicitly change it. This exposes a critical authentication credential. Remove the hardcoded default value from the documentation example. Instead, provide a placeholder like `VOICE_PIN=<your-secret-word>` or emphasize the importance of choosing a strong, unique PIN. | LLM | SKILL.md:119 |
Scan History
Embed Code
[](https://skillshield.io/report/e8b2508f2424c06d)
Powered by SkillShield