liber-speechapi

This skill behaves like a legitimate ASR/TTS client, but there are several red flags you should consider before installing: - The SKILL.md and scripts require LIBER_API_BASE_URL and LIBER_API_KEY, yet the registry metadata declares no required env vars — treat the client as needing an API key even if the registry doesn't show it. - The code will search and load ~/.openclaw/.env and ~/.openclaw/workspace/config/speechapi_config.json; if you store other secrets in those files, the skill could read them. Review those files and remove unrelated secrets before use, or run the skill in an isolated account/profile. - The client disables proxy env vars (requests.Session().trust_env = False), which prevents use of system http_proxy/https_proxy. If your environment relies on a proxy for auditing or egress controls, this behavior could bypass it; consider running in a network-isolated environment or blocking outbound access except to a trusted base URL. - The packaged .env contains a test local API URL and key; do not assume those are real credentials. Only provide your real LIBER_API_KEY to the skill if you trust the service endpoint (LIBER_API_BASE_URL) and have inspected the code. Recommended actions: inspect the full scripts yourself or run the skill in a disposable container/VM, restrict network egress to known endpoints, and do not place other secrets in ~/.openclaw files while testing. If you need to proceed, update the registry metadata to declare the required env vars (LIBER_API_BASE_URL and LIBER_API_KEY) so the requirement is explicit.