tavus-cvi-ui
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill instructs users to run 'npx @tavus/cvi-ui@latest' and link to GitHub repositories under the 'Tavus-Engineering' organization, neither of which are on the trusted sources list.
- REMOTE_CODE_EXECUTION (MEDIUM): The use of 'npx' to execute unverified packages during the 'init' and 'add' phases constitutes a remote code execution risk during the developer's setup process.
- CREDENTIALS_UNSAFE (LOW): The 'Basic Implementation' section demonstrates using 'VITE_TAVUS_API_KEY' in client-side React code. In Vite, environment variables with the 'VITE_' prefix are exposed to the browser bundle, potentially leaking the secret key to end-users. While the skill includes a 'Recommended' server-side section to mitigate this, the primary example is insecure.
Audit Metadata