omi-backend-patterns
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The architecture described is inherently vulnerable to Indirect Prompt Injection because it processes untrusted external conversational data to trigger side-effect-bearing actions.
- Ingestion points: Untrusted audio and transcripts are ingested via
/v4/listenandPOST /v1/conversations(SKILL.md). - Boundary markers: The skill does not define delimiters or specific instructions to the LLM to ignore embedded commands in transcripts.
- Capability inventory: The system uses an LLM to extract action items, calendar events, and memories which are then stored or potentially executed (SKILL.md).
- Sanitization: There is no evidence of sanitization or validation of the extracted structured data before it is stored or used to trigger webhooks.
Recommendations
- AI detected serious security threats
Audit Metadata