Trust Assessment
universal-voice-agent received a trust score of 22/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 3 critical, 3 high, 5 medium, and 0 low severity. Key findings include Hidden network beacons / undisclosed telemetry, Potential hardcoded secret (high entropy), Missing required field: name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Hardcoded API Keys and Tokens Multiple files contain hardcoded API keys and authentication tokens as fallback values. If environment variables are not set, these sensitive credentials will be used directly from the source code, leading to severe credential exposure. This includes Twilio Account SID, Auth Token, Phone Number, Groq API Key, and ElevenLabs API Key. Remove all hardcoded credentials. Ensure all sensitive values are loaded exclusively from environment variables or a secure secrets management system. Provide clear instructions for users on how to configure these securely. | LLM | scripts/agent.js:13 | |
| CRITICAL | Hardcoded API Keys and Tokens Multiple files contain hardcoded API keys and authentication tokens as fallback values. If environment variables are not set, these sensitive credentials will be used directly from the source code, leading to severe credential exposure. This includes Twilio Account SID, Auth Token, Phone Number, Groq API Key, and ElevenLabs API Key. Remove all hardcoded credentials. Ensure all sensitive values are loaded exclusively from environment variables or a secure secrets management system. Provide clear instructions for users on how to configure these securely. | LLM | scripts/websocket-server.js:19 | |
| CRITICAL | Hardcoded API Keys and Tokens in Shell Script The `run.sh` script directly exports sensitive API keys and tokens as environment variables. This practice exposes credentials in plain text within the repository, making them vulnerable to unauthorized access if the repository is compromised or publicly accessible. Remove all hardcoded credentials from `run.sh`. Instruct users to set these environment variables securely outside of the script, for example, by using a `.env` file loaded by `dotenv` or by setting them directly in their shell environment. | LLM | run.sh:4 | |
| HIGH | Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious. | Manifest | skills/snail3d/voice-devotional/universal-voice-agent/run.sh:12 | |
| HIGH | Prompt Injection via User-Controlled Goal The `goal` parameter, which is directly controlled by the user via `req.body` in the `/call-webhook` endpoint, is explicitly stated to be interpreted by the Haiku LLM for 'real-time reasoning'. This creates a direct vector for prompt injection, allowing a malicious user to manipulate the LLM's behavior by crafting a deceptive `goal` string. Implement robust input sanitization and validation for the `goal` parameter before it is passed to the LLM. Consider using a separate, constrained instruction set for the LLM or employing LLM-specific prompt injection defenses such as input/output filtering or a separate 'safety' LLM. | LLM | scripts/websocket-server.js:86 | |
| HIGH | Data Exfiltration via SMS Summary The `sendSummary` function in `agent.js` constructs an SMS message containing the `conversationHistory` and `keyDetails` of the call. If the `notifyTo` number is controlled by an attacker or if sensitive information is discussed during the call, this mechanism could lead to the exfiltration of private conversation data via SMS. Review the content included in the SMS summary. Ensure that only non-sensitive, essential information is sent. Implement strict access controls and validation for the `notifyTo` number. Consider redacting sensitive portions of the conversation history before inclusion in summaries. | LLM | scripts/agent.js:160 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=4.99) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/snail3d/voice-devotional/universal-voice-agent/run.sh:7 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/snail3d/voice-devotional/universal-voice-agent/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $ANTHROPIC_API_KEY Access to sensitive environment variable '$ANTHROPIC_API_KEY' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/snail3d/voice-devotional/universal-voice-agent/run.sh:11 | |
| MEDIUM | Unpinned npm dependency version Dependency 'dotenv' is not pinned to an exact version ('^17.2.3'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/snail3d/voice-devotional/universal-voice-agent/package.json | |
| MEDIUM | Unpinned Dependencies in package.json The `package.json` file uses caret (`^`) ranges for all dependencies. This means that `npm install` could resolve to new major versions of packages, potentially introducing breaking changes, new vulnerabilities, or even malicious code if a dependency maintainer pushes a compromised update within the specified range. While `package-lock.json` helps with reproducible builds, the `package.json` itself indicates a less secure dependency management practice for fresh installs. Pin exact versions for all dependencies in `package.json` to ensure consistent and secure builds. Use `npm install --save-exact` or manually remove the `^` prefix. Regularly audit and update dependencies to address known vulnerabilities. | LLM | package.json:13 | |
| INFO | Suspicious Placeholder Credential Generation The `run.sh` script generates a placeholder `ANTHROPIC_API_KEY` by base64 encoding the string 'use openrouter'. While this appears to be a non-functional placeholder, the method of generating it via base64 encoding is unusual and could be misinterpreted as an attempt to obfuscate or hide instructions, especially in a security context. It's not a direct exploit but a suspicious pattern. Replace the obfuscated placeholder with a clear, non-encoded string (e.g., `"YOUR_ANTHROPIC_API_KEY_HERE"`) or remove the line entirely if the key is not strictly required for the script's default operation. Add comments explaining the purpose of placeholder keys. | LLM | run.sh:9 |
Scan History
Embed Code
[](https://skillshield.io/report/28fc646aaa12fa28)
Powered by SkillShield