second brain
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for an Ensue-backed personal knowledge base, but it uses an API key and can persist, retrieve, update, and delete remote memory entries.
This appears safe for its stated purpose if you trust Ensue and the skill publisher. Before installing, understand that your saved knowledge may be stored remotely, embedded for search, and later reused in conversations; confirm any write/delete action and never save credentials, tokens, private paths, or sensitive personal details.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken invocation could modify or delete entries in the user's Ensue knowledge base.
The wrapper passes the requested method name and JSON arguments directly to the Ensue tools API. This is purpose-aligned, but it includes mutation-capable operations documented by the skill.
METHOD="$1"
ARGS="$2"
...
"params":{"name":"$METHOD","arguments":$ARGS}Use only the documented memory methods and confirm create, update, and delete actions before running them.
The configured API key gives the skill access to the user's Ensue account according to that key's permissions.
The script authenticates to Ensue with a bearer API key. This is expected for the integration, and the artifact does not show the key being logged or sent elsewhere.
-H "Authorization: Bearer $ENSUE_API_KEY"
Use a dedicated Ensue key if possible, keep it out of notes and prompts, and rotate or revoke it if it may have been exposed.
Incorrect, sensitive, or stale saved content could persist and be surfaced in later sessions.
The skill stores content, creates embeddings, and later retrieves that memory for use in conversations. This is the intended knowledge-base function, but it means saved material can influence future answers.
Create entry: ... "value":"Full content","embed":true ... Retrieving Knowledge: When relevant topics come up: - Search for existing knowledge
Review drafts before saving, avoid secrets and private paths, treat `public/` entries as shareable, and periodically clean up old or incorrect memories.
Users have less provenance information for deciding whether to trust the skill with an Ensue API key.
The registry metadata does not identify a source repository or provenance, although the supplied code is small and no install-time downloader is present.
Source: unknown; Homepage: https://ensue-network.ai
Verify the publisher and Ensue service relationship before configuring credentials.