MakeSoul Skill

The skill's description and security claims conflict with its runtime instructions: it says private keys stay local and no internet is required, yet its examples and endpoint specs send an X-Private-Key header to a remote API (https://makesoul.org).

Do not assume the private key remains local: the documentation is inconsistent. Before installing or using this skill, ask the author to clarify (1) whether the agent must contact makesoul.org (the config says internet:false but endpoints are remote), (2) whether the X-Private-Key header actually transmits the private key to the server (contradicts 'private key stays local'), and (3) what authentication alternatives exist (public-key signatures, short-lived tokens, or server-side public key verification instead of sending a raw private key). Avoid using your production or high-privilege keys with this skill until the author confirms secure, non-exfiltrating auth. If you must test, use an isolated environment and a throwaway key; prefer ENCRYPT_BACKUPS for local backups and verify backups are indeed encrypted locally before trusting them.