Is halthelobster/para-second-brain safe?
https://github.com/openclaw/skills/tree/main/skills/halthelobster/para-second-brain
PARA Second Brain is a legitimate knowledge management skill with no prompt injection, no malicious code, no data exfiltration, and all canary honeypot files confirmed intact. The two meaningful concerns are user-opt-in features rather than active attacks: a symlink trick that expands the LLM's searchable file scope to arbitrary local directories, and a session transcript indexing recommendation that makes past conversations persistently searchable by the agent. Users who install this skill should carefully review what their notes directory contains before running the symlink command and consider whether session transcript indexing aligns with their privacy expectations.
Category Scores
Findings (5)
LOW Substantial behavioral reprogramming via AGENTS.md instructions -12 ▶
The skill injects detailed autonomous behavioral instructions into AGENTS.md: context-percentage monitoring via session_status, a four-tier urgency escalation protocol (<50% normal, 50-70% increased vigilance, 70-85% active flushing, >85% emergency flush), and directives to stop responding to users at high context in order to write files. While fully disclosed and legitimate for a memory-management skill, users should review these additions as they meaningfully change agent autonomy and prioritization.
LOW Symlink trick expands memory_search to arbitrary local directories -8 ▶
SKILL.md instructs users to create a symlink from memory/notes to their actual notes directory, explicitly to bypass the default restriction of memory_search to MEMORY.md and daily logs. Any files in the linked notes directory — including sensitive documents, project files, or credentials accidentally saved as notes — become queryable context for the LLM. The scope expansion is user-initiated but users may underestimate what files the notes directory contains.
LOW Session transcript indexing recommendation accumulates sensitive conversational history -8 ▶
The skill recommends modifying Clawdbot config to add 'sessions' as a memory_search source. This indexes all past conversation transcripts and injects matching excerpts into future sessions. Sensitive information shared in past sessions (API keys mentioned, personal data, business secrets discussed) could be surfaced in unrelated future conversations, creating a growing privacy exposure over time.
INFO Developer environment data committed to skill repository -5 ▶
.clawhub/lock.json was committed to the skill repository and contains installation records from the skill author's personal Clawdbot environment, including the 'academic-research-hub' skill and its installation timestamp. This is an inadvertent information leak about the developer's local configuration, not a security threat to users.
INFO Version metadata inconsistency across skill files 0 ▶
manifest.json (1.0.0), skill.json (1.2.0), SKILL.md frontmatter (2.0.1), and _meta.json history (shows 3.0.0) all report different versions. The manifest was not kept current with skill releases, indicating incomplete release hygiene. Not a security risk but suggests the manifest may not reliably reflect the skill's actual state.