Skill Tracker
v1.2.0通用技能使用统计追踪器,支持 Python 和 Node.js 技能,自动记录调用次数、成功率,生成使用排行榜。数据本地存储,保护隐私。
⭐ 0· 124·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description match the code: both Python and Node.js implementations are present and implement local usage tracking. Minor inconsistencies: registry metadata and SKILL.md declare python3 as the required binary but a full Node.js implementation (index.js, package.json) is included — if you plan to use the Node version you must ensure Node is available. The registry also labeled this as 'instruction-only' despite shipping code files; this is plausibly just packaging but worth noting.
Instruction Scope
SKILL.md and the code only write local files (skill-stats.json, usage-log.jsonl) and provide APIs for integrators to call. They record fields like user, channel, session_id and error text which can contain PII or session identifiers. The docs reference a script (node scripts/check-integration.js) that is not present in the package. There are no instructions to read unrelated system files or send data externally.
Install Mechanism
No remote download/install mechanism is declared; repository includes source files (Python/Node) and setup.py / package.json for local install. No suspicious URLs, extract steps, or third-party binaries observed. This is low-risk from an install-source perspective.
Credentials
The skill requests no environment variables or credentials (proportionate). However, it logs context fields (user, session_id, channel, error) that can contain sensitive data; configuration allows changing data_dir (examples show /var/log/skill-tracker), which could require elevated privileges if set to system locations. No external credentials are requested.
Persistence & Privilege
The skill persists data locally and does not request elevated platform privileges. always is false and it does not modify other skills' configs. Be aware that changing the configured data_dir to system paths (e.g., /var/log) may require higher privileges and could increase persistence/impact.
Assessment
This package appears to implement a local-only skill analytics tracker, but before installing: 1) Verify the source (GitHub homepage) and that you trust the publisher. 2) Confirm which implementation you will use (Python vs Node); if you use the Node version, ensure Node is available (metadata only declared python3). 3) Inspect/choose the data_dir: default is package-relative data/ (safe), but examples use /var/log which may require root—don't set system directories unless intended. 4) Review what you log: the tracker saves user, session_id, channel and error text — these can be PII or session tokens. Turn off logRaw or redact sensitive fields if needed and set an appropriate retention policy. 5) Note a small docs inconsistency (referenced script missing); if you rely on any helper scripts, verify they exist. 6) If you need stronger guarantees, run the code in a sandbox or review the code paths that write files to ensure no unexpected file access or network calls are introduced in future versions.Like a lobster shell, security has layers — review code before you run it.
latestvk97ddfjn6w35cz7c926vvk8ts183741g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
OSLinux · macOS · Windows
Binspython3