voice-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Metadata Poisoning] (HIGH): The skill description references 'Claude Opus 4.5', a model version that does not exist. This is a common indicator of deceptive intent or 'malware-as-a-service' designed to lure users.
- [Unverifiable Dependencies] (HIGH): The installation instructions require running
pip install claude-code-voice-skillfrom an untrusted author (abracadabra50). This package can execute arbitrary code on the user's system during or after installation. - [Data Exposure] (HIGH): The skill uses
localtunnel, which exposes a local server to the public internet. This creates a direct path for external actors to access the 'project snapshots' and local file contents managed by the skill. - [Indirect Prompt Injection] (HIGH): The skill is designed to ingest untrusted data from project files (Ingestion points: local project files like main.py or auth.py) and has the capability to read and report on their contents (Capability inventory: file reading, searching code, git status). There are no mentioned boundary markers or sanitization techniques to prevent malicious instructions embedded in code comments from hijacking the AI agent's logic.
- [Command Execution] (MEDIUM): The
voice-skill startcommand initializes a persistent local server and network tunnel, which can be leveraged for persistent access to the host machine.
Recommendations
- AI detected serious security threats
Audit Metadata