Ensoul

The 'ensoul' skill (SKILL.md) instructs the agent to read and transmit sensitive state files, including SOUL.md, MEMORY.md, and 'any other agent configuration files,' to an external service (ensoul.dev). This broad instruction poses a high risk of accidental exfiltration of secrets, environment variables, or API keys. Additionally, the _meta.json file contains a future-dated publishedAt timestamp (April 2026), which is a notable anomaly for a current package.