File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- README.md:77
- Evidence
authToken: "[REDACTED]",
Security audit
Security checks across malware telemetry and agentic risk
Buddy mostly matches its voice-to-agent purpose, but it persistently changes gateway hook settings so voice requests can trigger agent turns, which needs review before use.
Install only if you intentionally want a remote voice endpoint that can start agent turns. Keep the gateway private, use and rotate strong tokens, review OpenClaw hooks configuration after install, choose transcription providers carefully, and plan cleanup for stored audio clips.
61/61 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
authToken: "[REDACTED]",