VoiceServer

Warn

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill uses coercive and high-pressure instructional language in SKILL.md (e.g., "🚨 MANDATORY: ... REQUIRED BEFORE ANY ACTION", "You MUST send this notification BEFORE doing anything else", "This is not optional") to force the agent to execute a shell command immediately upon invocation. This pattern is commonly used in adversarial prompts to ensure a callback or payload execution occurs before user oversight or agent logic can intervene.
  • [INDIRECT_PROMPT_INJECTION]:
  • Ingestion points: SKILL.md instructs the agent to load and apply any resources or PREFERENCES.md found in ~/.claude/skills/CORE/USER/SKILLCUSTOMIZATIONS/VoiceServer/.
  • Boundary markers: None. There are no instructions to treat these external files as untrusted or to ignore instructions embedded within them.
  • Capability inventory: The agent can perform shell execution (curl, lsof, Bun scripts) and local network requests.
  • Sanitization: None. The skill explicitly states that these external configurations "override default behavior," creating an attack surface where a malicious configuration file could hijack the agent's logic.
  • [DYNAMIC_EXECUTION]: The Tools/VoiceServerManager.ts script dynamically assembles file paths using the user's home directory and executes shell scripts from those paths using the Bun shell wrapper ($). This pattern of executing from computed paths is a common vector for manipulation if the underlying filesystem or path variables are controlled by an attacker.
  • [COMMAND_EXECUTION]: The skill relies extensively on executing shell commands and external scripts (e.g., curl, start.sh, stop.sh, lsof, tail) to manage the voice server and send notifications. While these target localhost, the automated and mandatory nature of the execution flow increases the impact of any compromised instructions.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 30, 2026, 03:33 PM
Security Audit — agent-trust-hub — VoiceServer