Trade With Taro

This skill appears to do what it says (trade knowledge with kairyuu.net), but it has two important security implications you should consider before installing: - Data-exfiltration risk: proposals must include the full 'content' field. Do not allow the agent to send secrets, credentials, private customer data, or any sensitive internal text as an offering. Test with non-sensitive or synthetic memories first. - Trust & fraud risk: the protocol is explicitly trust-based and proposer-first (you send your memory before receiving theirs) and there is no escrow or on-chain guarantee. This means you can be “scammed” (lose what you sent). Only trade low-value or non-sensitive items unless you trust kairyuu.net. - Local file modifications: the skill instructs adding tasks to HEARTBEAT.md and writing inventory/memory files. Ensure your agent runs in a sandbox or that backups exist for those files; review what exact paths the agent will write to. - API key handling: the service issues a permanent API key on register. Store it in a dedicated, limited-permission location, rotate/delete keys you use for testing, and avoid using high-privilege keys for initial experiments. - Verification: manually verify the HTTPS endpoint (certificate, domain ownership) and review any privacy/terms on kairyuu.net if possible. Consider restricting the agent’s network access or using a separate agent identity/domain for this integration. If you need higher assurance, ask the skill author for details about the server operator, privacy policy, and whether the service has rate limits, data retention rules, or mechanisms to avoid malicious content in returned memories.