Aionis

What to consider before installing/bootstrapping: - Metadata mismatch: the registry entry claims no required env vars or binaries, but SKILL.md requires AIONIS_BASE_URL and either AIONIS_API_KEY or AIONIS_AUTH_BEARER, and the bootstrap script requires docker, curl, and openssl. Treat the package as needing those tools and secrets even though they aren't declared in metadata. - Bootstrap behavior: the provided script will pull and run ghcr.io/cognary/aionis:standalone-v0.2.5, write .runtime/aionis.env and .runtime/clawbot.env (including generated ADMIN_TOKEN and memory API key), and create a persistent Docker container and volume. If you run it, do so in a controlled/sandboxed environment (not on a production host) until you trust the image. - Trust the image/source: inspect the GHCR image (repository, maintainer, and image digest) before pulling. If possible, pull and inspect the image locally, or run it in an isolated VM. Confirm the upstream project's repo and image provenance (cognary) match expectations. - Secrets handling: the script generates and writes API/admin tokens to files and suggests sourcing them; sourcing exposes secrets into your shell environment. Avoid automatic sourcing from untrusted packages and securely store or rotate any generated admin keys. - If you only need remote Aionis access (not local standalone), you can skip the bootstrap and point AIONIS_BASE_URL and the API key to an existing trusted endpoint. - Recommended immediate actions: verify the GHCR image (digest and upstream repo), review the container image contents if possible, run the bootstrap only in an isolated environment, and ensure the package metadata is corrected or clarified before using in sensitive environments.