azure-ai-voicelive-dotnet
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection due to its core function of processing untrusted external streams.
- Ingestion points: Untrusted data enters the agent context through
VoiceLiveSession.AddItemAsync(text) andVoiceLiveSession.SendAudioAsync(audio deltas) as described in the Core Workflow section ofSKILL.md. - Boundary markers: There are no boundary markers, delimiters, or framing instructions used to isolate user-provided content from the system prompt.
- Capability inventory: The skill enables high-impact capabilities through
VoiceLiveFunctionDefinitionandAddItemAsync(new FunctionCallOutputItem(...)), which allow the model to trigger external functions and process their outputs based on the ingested untrusted data. - Sanitization: No input validation or output sanitization is performed on the data before it is passed to the LLM or before function arguments are used at runtime.
- [Unverifiable Dependencies] (LOW): The skill references the NuGet package
Azure.AI.VoiceLive. While the name and linked repository (Azure/azure-sdk-for-net) are within a trusted organization scope, the specific package name does not currently match public Azure OpenAI Realtime documentation (which typically usesAzure.AI.OpenAI). Per [TRUST-SCOPE-RULE], this is categorized as LOW risk due to the trusted repository context.
Recommendations
- AI detected serious security threats
Audit Metadata