install-skill-tracker

[Skill Scanner] Destructive bash command detected (rm -rf, chmod 777) This skill's documented behavior matches its purpose: local collection and analysis of skill usage, durations, token usage, and prompts. There are no explicit signs of remote exfiltration, hardcoded credentials, or obfuscated/malicious code in the provided documentation. The primary risk is privacy and overbroad data collection: hooks claim to receive the 'full JSON context' and will log user prompts and session IDs, which can contain sensitive information. Because the actual hook/analysis script contents are not included, there remains some residual risk if those scripts perform network activity or unexpectedly capture more data than documented. Overall: not demonstrably malicious, but a moderate privacy/security risk unless the actual scripts are audited and redaction/retention controls are added. LLM verification: This skill's stated purpose (track skill usage, duration, tokens, and prompts) matches the capabilities described in the documentation; installation is local-only as written. However, it collects raw user prompts and session identifiers without describing redaction, encryption, access control, or retention policies — a significant privacy risk. The static scanner flagged destructive commands (rm -rf / chmod 777) somewhere in the package set, which were not visible in the provided document and re