Vapi — agentic threat model

Vapi orchestrates foundation models for speech-to-text, LLM reasoning, and text-to-speech. The primary threat is voice-based prompt injection (adversarial audio) that bypasses LLM alignment, potentially causing the agent to output malicious instructions or execute unintended functions.

Not certain from the listing — The directory does not specify how Vapi manages RAG, vector databases, or long-term data persistence. However, transient voice transcripts and session logs present a high risk of data exfiltration if the API endpoints or logging databases are compromised.

Vapi acts as the orchestration framework, managing interruption handling and function calling. The key threat here is tool misuse and insecure tool integration, where an attacker manipulates the voice conversation to trigger sensitive backend functions with elevated privileges.

Not certain from the listing — The deployment infrastructure, sandboxing of function execution, and secrets management for third-party integrations are not detailed. General threats include insecure API key storage and lack of network isolation for outbound function calls.

Not certain from the listing — While Vapi supports testing and deployment, the listing does not detail built-in guardrails, real-time anomaly detection, or LLM evaluation frameworks. This creates potential blind spots in detecting prompt injection or toxic outputs in real-time voice streams.

Not certain from the listing — Compliance certifications (such as SOC2, HIPAA for voice data) and fine-grained access controls are not specified. Standard API security risks apply, including weak authentication or lack of rate limiting on voice endpoints.

Not certain from the listing — The directory focuses on single-agent voice deployment and does not explicitly detail multi-agent orchestration or marketplace dynamics, though integration with external APIs could lead to cascading failures if downstream services are compromised.