Back to plugin

Security audit

Speaches

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: connect OpenClaw speech features to a configurable Speaches server, but your voice/text and Speaches API key go to that configured server.

This appears reasonable for users who run or trust a Speaches server. Before installing, confirm the baseUrl points to your intended local/private endpoint, avoid sending audio or API keys to untrusted remote servers, and use locked dependencies if your environment requires stronger supply-chain control.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.js:51
Evidence
baseUrl: readString(raw.baseUrl) ?? process.env.SPEACHES_BASE_URL ?? DEFAULT_BASE_URL,