Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- index.js:51
- Evidence
baseUrl: readString(raw.baseUrl) ?? process.env.SPEACHES_BASE_URL ?? DEFAULT_BASE_URL,
Security audit
Security checks across malware telemetry and agentic risk
This skill appears to do what it says: connect OpenClaw speech features to a configurable Speaches server, but your voice/text and Speaches API key go to that configured server.
This appears reasonable for users who run or trust a Speaches server. Before installing, confirm the baseUrl points to your intended local/private endpoint, avoid sending audio or API keys to untrusted remote servers, and use locked dependencies if your environment requires stronger supply-chain control.
61/61 vendors flagged this plugin as clean.
Detected: suspicious.env_credential_access
baseUrl: readString(raw.baseUrl) ?? process.env.SPEACHES_BASE_URL ?? DEFAULT_BASE_URL,