Safety Report

Second Brain: Turn conversations into lasting knowledge

Name: Second Brain: Turn conversations into lasting knowledge
Rating: 3 (12 reviews)
Author: christinetyip

Personal knowledge base powered by Ensue for capturing and retrieving understanding. Use when user wants to save knowledge, recall what they know, manage their toolbox, or build on past learnings. Triggers on "save this", "remember", "what do I know about", "add to toolbox", "my notes on", "store this concept".

4,212Downloads

23Installs

12Stars

5Versions

Workflow Automation3,323 Customer Support1,744 E-Commerce1,690 Notes & Knowledge902

Security Analysis

medium confidence

Suspicious

The skill appears to do what it says (use the Ensue API to store and retrieve knowledge) but there is a notable mismatch between the registry metadata and the runtime files: the script and SKILL.md require an ENSUE_API_KEY that the registry listing does not declare — verify before installing.

Feb 11, 20262 files2 concerns

Purpose & Capabilityconcern

The skill's purpose (a Second Brain backed by Ensue) matches the included behavior: SKILL.md documents an Ensue API and the bundled script calls https://api.ensue-network.ai/. However, the registry metadata (Requirements section) lists no required env vars/credentials while the skill's own metadata and scripts require ENSUE_API_KEY. That discrepancy is an incoherence in the listing.

Instruction Scopeok

SKILL.md gives explicit interaction rules (ask before saving, verify content quality) and defines the exact API calls via the wrapper script. The instructions do not tell the agent to read unrelated files, other env vars, or exfiltrate data to arbitrary endpoints — all external calls are to api.ensue-network.ai as expected.

Install Mechanismok

No install spec is provided (instruction-only), and the only code is a small included shell wrapper. There are no downloads, external installers, or archive extraction steps. This is low-risk from an install mechanism perspective.

Credentialsconcern

At runtime the script requires a single credential (ENSUE_API_KEY), which is proportionate to contacting the Ensue API. The concern is that the registry metadata does not declare this required env var/primary credential, so users may not realize an API key is needed or where it will be stored. Confirm where/ how you'll supply the key (clawdbot.json was referenced in the script) and that you're comfortable with that placement.

Persistence & Privilegeok

The skill is not marked always:true, does not request elevated platform privileges, and does not modify other skills or system-wide settings. It includes only its own wrapper script and operates against the Ensue API.

Guidance

This skill legitimately uses an external Ensue API and needs an ENSUE_API_KEY, but the registry listing omitted that requirement. Before installing: 1) Verify the skill source/author (source is unknown). 2) Confirm how and where you'll store the ENSUE_API_KEY (the script suggests clawdbot.json) and whether that storage meets your security policies. 3) Review Ensue's privacy/security policy to ensure you’re comfortable sending content to api.ensue-network.ai. 4) If you proceed, test with non-sensitive sample data first and ask the publisher to update the registry metadata to declare ENSUE_API_KEY so the listing is accurate.

Latest Release

v0.1.4

- Minor documentation update to SKILL.md. - Added a new line at the top with a clear API key requirement and instructions. - No code or functional changes were made.

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @christinetyip on ClawHub