Buddy

Buddy mostly matches its voice-command purpose, but Review is warranted because its agent-injection endpoint can fail open, setup may expose the bearer token, and the default prompt pushes the agent to act on transcribed audio without confirmation.

Before installing, verify the exact package identity, configure a strong authToken, do not use public QR-code services for the pairing URL, and avoid exposing /buddy/voice publicly unless you understand the risk. Consider changing the framing so the agent confirms high-impact actions, and remember that audio may be stored locally and may be sent to the selected transcription provider.