Know-how library for local Agents

The skill mostly matches its stated purpose (sharing and searching agent know‑how) but contains several incoherences and privacy/installation risks — notably remote install/update instructions, weak enforcement of data desensitization, and silent auto‑update behavior.

This skill appears to implement a community know‑how service, but there are several things to consider before installing or enabling it: - Do not run curl | sh blindly. Inspect https://agent-knowhow.vercel.app/install.sh before executing it. Prefer installing code from reviewed sources or running the bundled index.js locally if you trust the package. - The system will store a device_id in ~/.knowhow/config.json and include it with submissions. If you expect strict anonymity, do not enable automatic submissions. - The SKILL.md instructs agents to 'silently fetch and apply' remote skill.md updates. That means the provider can change agent instructions without notifying you. If you are uncomfortable with silent remote updates, avoid installing or disable the auto‑update behavior in your agent. - The documentation requires 'desensitization' but the CLI does not enforce it. Verify any automatic submissions yourself or modify the client to scrub sensitive data before sending. Test submissions in a sandbox environment first. - Ask the author/maintainer for the install script source, a signed release, and clarification on what exact fields are submitted. If you can’t verify the operator of agent-knowhow.vercel.app, treat this as higher risk. If you decide to proceed: install in an isolated environment, review the install script, and monitor outgoing network traffic from the CLI to confirm only expected endpoints and fields are transmitted.