Trust Assessment
vapi-calls received a trust score of 18/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 2 critical, 1 high, 2 medium, and 2 low severity. Key findings include Network egress to untrusted endpoints, Suspicious import: requests, Unpinned npm dependency version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 53/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/cmorillas99-cyber/vapi-calls/scripts/vapi_calls.py:177 | |
| CRITICAL | User-controlled `system_prompt` allows LLM instruction injection The `make_vapi_call` tool's `system_prompt` parameter is directly used as the `systemPrompt` for the Vapi AI assistant's model. This allows an attacker to inject arbitrary instructions into the Vapi LLM, potentially overriding its intended behavior, causing it to perform unintended actions, or extracting sensitive information during the phone call. Implement strict input validation and sanitization for `system_prompt`. Consider using a fixed system prompt or a templated approach where only specific variables can be filled by user input, rather than allowing free-form text. If free-form text is necessary, ensure the Vapi API or underlying LLM has robust guardrails against prompt injection. | LLM | scripts/vapi_calls.py:170 | |
| HIGH | Sensitive call transcripts and summaries printed to stdout The skill captures the full transcript and summary of phone calls, which may contain Personally Identifiable Information (PII) or other sensitive data exchanged during the conversation. This information is then printed directly to `sys.stdout` as a JSON object. This poses a data exfiltration risk if the host environment's logging or output capture mechanisms are not adequately secured, potentially exposing sensitive call content. Implement a secure logging mechanism for sensitive call data, such as writing to an encrypted file, a secure database, or a dedicated logging service with appropriate access controls. Avoid printing sensitive information directly to `stdout` where it can be easily captured by less secure means. Consider redacting PII from transcripts/summaries before logging or outputting. | LLM | scripts/vapi_calls.py:220 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/cmorillas99-cyber/vapi-calls/scripts/vapi_calls.py:9 | |
| MEDIUM | Unpinned npm dependency version Dependency 'requests' is not pinned to an exact version ('^2.31.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/cmorillas99-cyber/vapi-calls/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/cmorillas99-cyber/vapi-calls/package.json | |
| LOW | Unpinned `requests` dependency The `package.json` specifies the `requests` dependency with a caret (`^`) operator (`"^2.31.0"`). This allows for automatic updates to minor and patch versions, which could inadvertently introduce breaking changes, vulnerabilities, or malicious code if a compromised package is published. Pin the `requests` dependency to an exact version (e.g., `"requests": "2.31.0"`). Regularly review and manually update dependencies to ensure compatibility and security. | LLM | package.json:10 | |
| INFO | Skill exposes a public HTTP webhook server The skill is designed to expose an HTTP server on `0.0.0.0` (all interfaces) at a configurable port (`WEBHOOK_PORT`, default 4430) to receive webhooks from Vapi. This makes the agent publicly accessible and increases its attack surface. While the current implementation attempts to filter requests by `call_id`, any publicly exposed service is a potential target for reconnaissance, denial-of-service, or other attacks. Ensure the webhook handler is as minimal and robust as possible. Implement strict validation of all incoming webhook data. Consider IP whitelisting if Vapi provides static IP ranges for webhooks. Ensure the host environment has a firewall configured to restrict access to the webhook port to only necessary sources. Monitor access logs for suspicious activity. | LLM | scripts/vapi_calls.py:156 |
Scan History
Embed Code
[](https://skillshield.io/report/2665915b505a5573)
Powered by SkillShield