Oasis Audio

What to consider before installing/using this skill: - It will read your local conversation session files (~/.qclaw, ~/.easyclaw, ~/.openclaw), memory .md files, and USER.md to personalize audio. That behavior is required for its stated purpose but is privacy-sensitive. - It sends a composed prompt to an external API (eagle-api.xplai.ai). The code tries to redact obvious secrets and logs the sent prompt locally (audit.log), but redaction is regex-based and can miss sensitive content. Assume any personalized data included in the prompt may be exposed to the API operator. - The SKILL.md instructs the agent to proceed without asking for confirmation when the user requests audio. If you want explicit consent before any external transmission, do not allow autonomous invocation or modify the policy to require confirmation. - Discrepancy: registry metadata lists no config paths, but SKILL.md enumerates them. Verify which metadata is authoritative. Practical steps: - Review the code yourself (context_collector.py and xplai_gen_audio.py) to confirm how prompts are assembled and what gets redacted. - Test in dry-run mode: run xplai_gen_audio.py --dry-run to see the sanitized prompt the skill would send. - Restrict or sanitize USER.md and memory files if they contain PII before use. - If possible, disable autonomous invocation or require the agent to ask for confirmation before sending any external request. - If you must use it, consider running in an isolated environment or VM so session files used are limited and auditable. If you want, I can: (1) point out the exact lines where sensitive fields are included in prompt construction (requires full context_collector output beyond truncated snippet), (2) suggest a safer execution policy text that forces confirmation, or (3) draft a short patch to make redaction more conservative (e.g., drop any fragments containing named entities or phone numbers) to reduce leakage risk.