Is para-second-brain safe?

The skill instructs users to paste substantial agent behavioral directives into AGENTS.md, including autonomous file-writing triggers based on context thresholds, memory flush protocols, and session continuity instructions. While benign in purpose (knowledge management), this establishes a persistent behavioral layer that shapes agent actions across all future sessions.

SKILL.md references two other skills by URL (memory-setup and proactive-agent) and includes a comparison table with a third (Ensue Second Brain). While these are informational only and not fetch directives, they could influence agent behavior by encouraging installation of additional skills.

setup.sh accepts $1 as workspace path without validation or sanitization. While it only performs mkdir and file creation (low impact), passing a crafted path could create directories in unintended locations.

The skill includes scripts/setup.sh, an executable bash script. The script is benign (directory creation and template file generation only), but its presence means the agent could be instructed to execute it.

Filesystem monitoring captured reads of .env, .aws/credentials, and .openclaw/openclaw.json during the install phase. These are attributed to the OpenClaw agent runtime initialization rather than the skill itself, but the reads are notable.

The symlink trick (ln -s notes memory/notes) makes the entire notes/ directory searchable via memory_search. This is user-initiated and local, but could inadvertently expose sensitive notes content to agent search that the user didn't intend to make discoverable.

The memory flush protocol instructs the agent to autonomously write files when context usage exceeds certain percentages. This is a benign knowledge-preservation mechanism but establishes a pattern of unprompted file writes.