Skill Tracker

This skill is coherent with its description and runs entirely on local files, but review before installing: - Audit stored data: the scripts create JSONL health and usage files under ~/.openclaw/data/gungun/ and markdown reports under your workspace. Check these directories for sensitive content and set restrictive file permissions (600/700) if needed. - Sanitize inputs: the code writes proposals using the skill_name directly into filenames (pending/<skill_name>.json). If a skill can supply an arbitrary name, a malicious or buggy skill could craft a name with path components (e.g., "../../.ssh/authorized_keys") to write outside the intended directory. Only accept logs from trusted skills or modify the scripts to sanitize/slugify skill names before writing files. - Control what is logged: the logger accepts a metadata dict and user_satisfaction values. Ensure other skills do not log PII, secrets, or user content into these fields — or implement filtering/encryption before writing. - Cron and workspace paths: setup-cron.sh provides sample crontab lines but doesn't install them automatically. If you enable scheduled runs, ensure the cron jobs run as the intended user and log files (in /tmp) are protected. If you trust the environment and will restrict which skills can call log_skill_usage (or patch the code to sanitize names and limit metadata), the skill is reasonable to use. If you cannot guarantee that only trusted skills will report usage, consider fixing the filename handling and adding input validation/encryption before deploying.