This is a powerful voice-assistant skill, but it exposes secrets and gives cloud services and home-automation controls more access than its “offline” framing suggests.
Install only after rotating/removing the exposed keys, confirming you are comfortable with voice audio and prompts leaving the device, using HTTPS or trusted local-only endpoints for Home Assistant and the gateway, and restricting the Home Assistant token to only the devices/actions this assistant should control. Treat the biometric enrollment files as sensitive and do not enable persistent listening in shared spaces without clear consent.