As with browser add-ons, you’re entirely at the mercy of a developer. And should they use their powers for evil, you could be giving up everything you’re saying to your device to some random person.
At least, that’s the scenario presented by Germany’s Security Research Labs (SRLabs), who built a number of dummy Skills (Amazon) and Actions (Google) that passed both company’s checks and were actually listed for download to your Echo or Google Home devices. The catch? As Ars Technica describes:
“The malicious apps had different names and slightly different ways of working, but they all followed similar flows. A user would say a phrase such as: ‘Hey Alexa, ask My Lucky Horoscope to give me the horoscope for Taurus’ or ‘OK Google, ask My Lucky Horoscope to give me the horoscope for Taurus.’ The eavesdropping apps responded with the requested information while the phishing apps gave a fake error message. Then the apps gave the impression they were no longer running when they, in fact, silently waited for the next phase of the attack.
The security researchers actually developed two kinds of apps—one for eavesdropping, one for phishing—that both worked similarly. In the former, the app would simply do whatever it is you told it to, but it wouldn’t stop recording your voice; in the latter, the app would pretend to accomplish a task, wait a bit, then give you a fake message that your device was updated and you needed to provide your password for the update to complete. And any password you then provided was shuffled off to the developer’s servers.
Both Amazon and Google have since pulled the offending skills/actions—after being notified of their existence by SRLabs—and are working on extra “mechanisms” and “mitigations” to ensure these kind of exploits don’t make their way into other skills and actions
The same common sense procedures work here for adding addons to Firefox or installing Apps on your smartphone.