File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- README.md:77
- Evidence
authToken: "[REDACTED]",
Security audit
Security checks across malware telemetry and agentic risk
Buddy appears to implement its voice-command purpose, but it needs review because a web request can become an agent instruction and its setup/storage choices can expose sensitive tokens or voice recordings.
Install only if you trust the publisher and can secure the gateway. Use a long random bearer token, keep the route behind HTTPS, do not send the pairing URL/token to public QR-code services, rotate the token if exposed, review where audio is stored and deleted, and adjust the prompt framing so the agent confirms sensitive actions before acting.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal
authToken: "[REDACTED]",