Trust Assessment
universal-voice-agent received a trust score of 22/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 2 critical, 3 high, 5 medium, and 0 low severity. Key findings include Hidden network beacons / undisclosed telemetry, Potential hardcoded secret (high entropy), Missing required field: name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 3/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Hardcoded API keys and SIDs The `run.sh` script directly exports API keys and Account SIDs as environment variables. Similar hardcoded fallback values are present in `scripts/agent.js` and `scripts/websocket-server.js`. This practice is a critical security vulnerability as it exposes sensitive credentials directly in the codebase. If these were real keys, they would be immediately compromised upon discovery, leading to unauthorized access and potential abuse of services (Twilio, Groq, ElevenLabs). Remove all hardcoded credentials from `run.sh`, `scripts/agent.js`, and `scripts/websocket-server.js`. Implement a secure secrets management solution (e.g., environment variables managed by the deployment platform, a secrets vault) to inject credentials at runtime. Never commit credentials to version control. | LLM | run.sh:4 | |
| CRITICAL | Unsanitized user input (`goal`, `conversationHistory`) fed to LLM The skill explicitly states that 'Haiku interprets the goal and adapts the conversation to achieve it' and 'Haiku gets full conversation history'. The `goal` parameter is directly derived from user input (`req.body.goal` or URL query parameter) in `scripts/websocket-server.js`. The `conversationHistory` includes transcribed user audio. Both of these are fed to the Haiku LLM without apparent sanitization or validation. A malicious user could craft a `goal` or spoken input to manipulate the Haiku LLM's behavior, leading to prompt injection attacks, potentially causing the LLM to deviate from its intended purpose, reveal sensitive information, or perform unintended actions. Implement robust input validation and sanitization for the `goal` parameter and any user-generated content in the `conversationHistory` before feeding it to the LLM. Consider using a separate, hardened LLM for safety checks, or employing techniques like prompt templating, input/output filtering, and privilege separation for LLM interactions. | LLM | scripts/websocket-server.js:100 | |
| HIGH | Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious. | Manifest | skills/snail3d/clawd/universal-voice-agent/run.sh:12 | |
| HIGH | Suspicious `dotenv` package version The `package.json` specifies `dotenv: "^17.2.3"`. The latest stable version of `dotenv` is `16.x.x`. Version `17.x.x` is highly unusual and could indicate a typosquatting attempt or an unmaintained/malicious package. This poses a significant supply chain risk, as such a package could contain malicious code. Verify the authenticity of the `dotenv` package. Update to the latest stable and legitimate version (e.g., `^16.x.x`). Ensure package sources are trusted and consider using a package integrity checker. | LLM | package.json:13 | |
| HIGH | Potential data exfiltration via unvalidated `notifyTo` phone number The `agent.js` script sends an SMS summary of the call, including sensitive details like the goal, status, duration, and key confirmations, to the `notifyTo` number. This number can be provided by the user via the `--notify-to` command-line argument or `process.env.NOTIFY_TO`. If the `notifyTo` parameter is not properly validated to ensure it belongs to an authorized recipient, a malicious user could specify an arbitrary phone number to exfiltrate call summary data, leading to information leakage or SMS spam. Implement strict validation for the `notifyTo` phone number. Ensure that only pre-approved or securely verified phone numbers can receive call summaries. Consider requiring user authentication or explicit consent before sending summaries to a user-provided number. | LLM | scripts/agent.js:40 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=4.99) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/snail3d/clawd/universal-voice-agent/run.sh:7 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/snail3d/clawd/universal-voice-agent/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $ANTHROPIC_API_KEY Access to sensitive environment variable '$ANTHROPIC_API_KEY' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/snail3d/clawd/universal-voice-agent/run.sh:11 | |
| MEDIUM | Unpinned npm dependency version Dependency 'dotenv' is not pinned to an exact version ('^17.2.3'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/snail3d/clawd/universal-voice-agent/package.json | |
| MEDIUM | Usage of beta `express` package version The `package.json` specifies `express: "^5.2.1"`. `express` version 5.x.x is currently in beta. Using beta software in a production or critical application can introduce instability, unexpected behavior, and may contain unpatched vulnerabilities that are not yet addressed in a stable release. This can lead to security risks if vulnerabilities are discovered and not promptly fixed. Consider using the latest stable version of `express` (currently 4.x.x) for production environments. If 5.x.x features are critical, thoroughly review its stability and security implications, and monitor for updates and patches. | LLM | package.json:14 |
Scan History
Embed Code
[](https://skillshield.io/report/fc03fdd501189934)
Powered by SkillShield