phone-agent
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The
/outboundand/callAPI endpoints inserver.pyallow the agent's system prompt to be replaced or extended via the request body. Since the skill is designed to be exposed to the internet via tools like ngrok without built-in authentication, an attacker could trigger calls with malicious instructions.\n- [INDIRECT_PROMPT_INJECTION]: The skill processes live audio transcripts from callers inserver.pyand appends them directly to theconversation_historywithout sanitization or boundary markers.\n - Ingestion points: Caller audio is transcribed via the Deepgram WebSocket in
server.py.\n - Boundary markers: None present; user speech is treated as direct instruction history.\n
- Capability inventory: The agent can execute
ffmpeg, perform web searches, and make outbound calls.\n - Sanitization: No transcript filtering or safety checks are performed.\n- [COMMAND_EXECUTION]: In
server.py, the_transcode_mp3_to_mulawfunction executes theffmpegbinary usingasyncio.create_subprocess_exec. While the arguments are not derived from user input, this adds a capability to execute system binaries.\n- [EXTERNAL_DOWNLOADS]: The skill connects to official APIs for OpenAI, Deepgram, Twilio, and Brave Search. These are well-known technology providers and the connections are required for the skill's primary functionality.
Audit Metadata