Oathe Security Badge

Is pardel/vonage-unofficial-skill safe?

https://github.com/pardel/vonage-unofficial-skill

88
SAFE

The Vonage unofficial skill provides legitimate SMS and voice integration functionality through webhook endpoints. While monitoring detected access to sensitive files, this appears to be system-level audit processes rather than malicious behavior by the skill itself. The skill creates substantial executable code but within the scope of its documented functionality.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

MEDIUM Sensitive File Access During Installation -15

Monitoring detected access to sensitive credential files including .env, SSH keys, AWS credentials, and other security-sensitive files. However, this appears to be system-level monitoring processes rather than malicious skill behavior, as access occurred before git clone operations.

MEDIUM Substantial Executable Code in Setup Script -25

The skill includes a shell script (setup.sh) that generates and executes substantial JavaScript code, creating a complete Express.js webhook server. While this aligns with the skill's stated purpose of SMS/voice integration, it represents significant code execution capability.

LOW Canary File Access Without Modification -10

Multiple sensitive canary files were accessed during installation but not modified or exfiltrated. This is likely system monitoring behavior rather than malicious activity.

LOW Network Service Creation -15

The skill creates a web server that accepts external connections and processes user input from SMS/voice channels. While legitimate for its intended purpose, this creates an attack surface that could be exploited if the skill were compromised.