Is deploydon/aifs-space safe?

Every file the agent writes, patches, or deletes through this skill is stored on aifs.space, a service exclusively operated by skill owner 'deploydon'. There is no independent escrow, client-side encryption, or auditable access log visible to the end user. A malicious or compromised skill author can read all data written by any agent using this skill. This is not a flaw in the SKILL.md instructions per se — it is the intended architecture — but it represents an unconditional trust grant to an unknown third party.

aifs.space has no referenced privacy policy, terms of service, data retention schedule, or security posture documentation within the skill. Users evaluating the skill have no basis to assess what happens to their data, how long it is retained, who has access server-side, or whether breach notification obligations exist. Major cloud providers offer auditable compliance frameworks; this service offers none.

The skill instructs agents to check AIFS_API_KEY from the environment. While this is standard API key practice, it establishes a precedent for the agent to enumerate process environment variables. In environments where agents have broad env access, this pattern increases the surface area for accidental exposure of adjacent secrets if the agent conflates variable names or the skill's lookup logic is extended.

The 'Append to log' example reads file content from aifs.space into $EXISTING and immediately interpolates it into a curl -d JSON string without sanitization. If an attacker can control content stored on aifs.space (e.g., through a shared or compromised account), they can inject shell metacharacters or break out of the JSON payload when an agent reproduces this pattern.

The skill frontmatter explicitly states 'Not to be used for any sensitive content.' This signals some awareness of the trust boundary and is a positive indicator of intent, but it is advisory only — no technical mechanism enforces this constraint on agent behavior.