Is second-brain safe?

Every save, update, search, and retrieval operation sends user-authored content or queries to api.ensue-network.ai. The skill encourages users to build a comprehensive knowledge base spanning concepts, tools, patterns, and personal journal entries — all transmitted to a remote server with no stated data retention or privacy guarantees visible in the skill.

Both METHOD and ARGS variables are interpolated directly into the curl JSON payload without escaping or validation. While METHOD is typically controlled by SKILL.md instructions, ARGS comes from agent-constructed JSON which could be influenced by user input or other skills, creating a JSON injection vector.

The skill maps common phrases ('save this', 'remember', 'what do I know about', 'search for') to API operations and instructs the agent to proactively surface related concepts during conversations. This creates implicit behavioral overrides where normal user language triggers external API calls.

The skill embeds UTM-tracked URLs to ensue-network.ai in metadata, setup instructions, and error messages, effectively using the agent as a marketing channel for the Ensue commercial service.

The .aws/credentials canary file was opened and read during the installation process. This appears to be ClawdBot runtime behavior rather than skill-initiated, but it demonstrates that sensitive credential files are accessible in the execution environment.

If combined with another skill that programmatically triggers 'save' or 'remember' commands, the second-brain skill would faithfully transmit that content to the external API. The normalized behavior of sending data externally makes this a potential exfiltration channel.