Monkeytype Tracker and Advisor

This skill appears to do what it says (fetch Monkeytype stats) but has several mismatches and risky instructions you should consider before installing: - Registry vs code mismatch: The skill actually needs an ApeKey (MONKEYTYPE_APE_KEY) but the published metadata does not declare this. Treat that as a red flag and ask the publisher to correct the manifest. - Secret handling: The SKILL.md asks users to paste their ApeKey into chat and/or save it into ~/.openclaw/workspace/config/monkeytype.json (plain JSON). Prefer setting the MONKEYTYPE_APE_KEY environment variable locally instead of sending it in chat. If you must provide a key, do not paste it into an untrusted conversation and be aware the key will be stored in plaintext in your workspace config. - Automations/crons: The instructions propose creating cron jobs for automated reports. Enabling scheduled runs gives the skill ongoing execution rights. Only enable automations if you trust the code and understand where secrets and outputs will be stored. - Review the code yourself or run it in an isolated environment: The included Python script is short and calls only api.monkeytype.com, but you should review it (or run it in a sandbox) before allowing scheduled runs or before storing your ApeKey on disk. - Minimum steps to mitigate risks: 1) Ask the publisher to update the registry manifest to declare the ApeKey requirement. 2) Prefer setting MONKEYTYPE_APE_KEY as an environment variable rather than pasting in chat or writing a plaintext config file. 3) If you enable automations, inspect and limit the cron job's permissions and ensure the key stored has only the necessary scope on Monkeytype. 4) If unsure, decline automated reports and use only on-demand commands after setting the env var locally. If you want, I can produce suggested safer setup text to replace the SKILL.md prompts (for example: a warning not to paste secrets in chat, and explicit instructions to set the env var instead of writing plaintext files).