Skills
skills/usevowel/skills/vowel-webcomponent/Gen Agent Trust Hub

vowel-webcomponent

Pass

Audited by Gen Agent Trust Hub on Mar 23, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs users to install @vowel.to/client and @ricky0123/vad-web via bun add. These are standard dependencies for the widget's voice activity detection and client-side logic.
  • [COMMAND_EXECUTION]: Provides setup commands using bun for package management and cp for copying assets to a public directory, which are standard development workflows.
  • [PROMPT_INJECTION]: The skill describes a surface for indirect prompt injection where the voice agent processes user speech to trigger actions via registerAction. While this is an architectural risk inherent to voice-controlled agents, there are no malicious instructions in the skill itself.
  • Ingestion points: User voice transcripts processed by the <vowel-voice-widget> (SKILL.md).
  • Boundary markers: None explicitly defined in the examples.
  • Capability inventory: JavaScript action handlers registered via registerAction or custom-actions attribute (SKILL.md).
  • Sanitization: Not explicitly mentioned in the integration examples.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 23, 2026, 02:06 PM