Fix Your Entire Life in 1 Day

What to do before installing or running this skill: - Inspect the bundled scripts (scripts/handler.sh, scripts/export.sh, scripts/init.sh, scripts/status.sh) before executing anything. Search for network commands (curl, wget, nc, netcat, ssh, scp), remote hosts, base64/openssl decode+exec patterns, and any use of eval, backticks, or unescaped variable expansion that could allow command injection when handling user text. - Pay special attention to how user input is handled. The handler is called like: handler.sh save "USER_RESPONSE" — if the script inserts that text into shell commands without sanitization, a maliciously crafted response could execute arbitrary commands. - Check whether the scripts modify system schedulers (crontab, at, systemctl timers) or edit files outside the skill workspace. If they do, ask the author to justify why and consider running in a restricted environment. - Run the skill in a sandbox first (a throwaway VM or container) and monitor outbound network connections and file writes. Verify reminders behavior (do they only schedule local notifications or attempt to contact external services?). - Ensure the agent process has minimal permissions; avoid running as root. Back up any important data from your normal workspace before first run. - If you are not comfortable auditing shell scripts, decline installation or ask the maintainer for a review that documents: (a) that no external network calls are made, (b) that scheduling is done only via local, user-owned crontab entries (if at all), and (c) that user input is safely escaped/handled. If the scripts are clean and only write session files under $WORKSPACE and schedule reminders via safe, local mechanisms, the skill appears coherent for its coaching purpose. If the scripts contact remote endpoints, modify system-wide config, or use unsafe shell practices, consider the skill untrusted.