Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- dist/index.js:114
- Evidence
if (!process.env.WS_NO_BUFFER_UTIL) {
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a coherent Telnyx text-to-speech provider, but users should understand it will send TTS text to Telnyx using their Telnyx API key and that the install/package naming is somewhat inconsistent.
This skill is likely safe for its stated purpose if you want Telnyx as your OpenClaw TTS provider. Before installing, verify the exact npm package/repository, understand that synthesized text will be sent to Telnyx, use a carefully managed TELNYX_API_KEY, and avoid custom base URLs unless you trust the proxy.
61/61 vendors flagged this plugin as clean.
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
if (!process.env.WS_NO_BUFFER_UTIL) {apiKey: [REDACTED](providerConfig, cfg),