Persona Sync

This skill largely does what it says — it syncs persona files to a GitHub private repo using a small Python script — but there are important surprises you should consider before installing: - Dependency mismatch: The registry metadata claims no required binaries, but the script requires git and python3. Ensure those are present and trusted. - Global git config change: The script runs `git config --global credential.helper store`, which permanently changes your global Git behavior (it makes Git store credentials in ~/.git-credentials). That affects all repositories on the machine. - Plaintext credential storage: Using 'store' writes credentials to ~/.git-credentials (plaintext). The SKILL.md/SPEC.md claim 0600 permissions and 'secure storage', but the script does not set or verify permissions on ~/.git-credentials. Consider whether you accept storing a PAT in plaintext on this machine. - Alternatives to consider: use a repo-specific approach (SSH deploy keys or a local-only credential helper), use a PAT with minimal scope, enable 2FA, or run the sync inside a restricted environment (container or dedicated user account) to limit exposure. - What to check if you want to proceed: review scripts/sync.py yourself, confirm you are comfortable with git --global changes, manually run init to see what gets written, and after first run verify permissions of ~/.git-credentials and whether git config --global was changed. Because of the global config/credential storage side effects and the metadata inconsistencies, treat this skill as suspicious until you verify those behaviors and accept the risks.