agentphone
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill configuration in
.mcp.jsonspecifies the use ofagentphone-mcp@0.2.0, which is a vendor-provided package managed via the Node.js package runner. This is the intended method for extending the agent's capabilities with the AgentPhone service.\n- [PROMPT_INJECTION]: The skill's primary function involves reading external data such as SMS messages and call transcripts, creating a surface for indirect prompt injection where malicious instructions embedded in incoming communications could influence agent behavior.\n - Ingestion points: Data is brought into the agent context through tools like
get_messages,get_call, andstream_transcriptinreferences/api-reference.md.\n - Boundary markers: The skill documentation does not define specific markers or delimiters to separate untrusted telephony content from system instructions.\n
- Capability inventory: The agent has access to impactful tools including
send_message,make_call, andupdate_agent, which could be targeted by successful injection attacks.\n - Sanitization: There are no documented mechanisms for filtering or sanitizing the text content received from phone calls or SMS before it is processed by the AI.
Audit Metadata