voice-ai-development
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill establishes high-risk patterns for processing untrusted external voice data which is directly used to drive agent actions and tool execution.
- Ingestion points: Untrusted data enters via the voice_session WebSocket (OpenAI Realtime), transcribe_stream (Deepgram), and the /vapi/webhook endpoint (Vapi).
- Boundary markers: Absent. The provided patterns lack delimiters or 'ignore' instructions, meaning the agent cannot reliably distinguish between administrative instructions and untrusted user audio transcripts.
- Capability inventory: The patterns include high-privilege capabilities such as function calling (e.g., get_weather, check_order), creating outbound calls, and processing transcripts for decision-making.
- Sanitization: None. Transcripts are handled as raw strings and fed directly into control logic, creating a significant surface for indirect prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata