write-kaggle-benchmarks: silent weekly upstream version check

[nicholaskang-us]

Add a silent, weekly upstream version check at the top of
write-kaggle-benchmarks/SKILL.md.

The block compares the local SKILL.md sha256 against
https://raw.githubusercontent.com/Kaggle/kaggle-skills/main/write-kaggle-benchmarks/SKILL.md
at most once every 7 days (gated by /tmp/.kbench-skill-checked). It only
surfaces a message if the local copy is stale; network failures are silent.
This lets users discover updates without nagging them on every invocation.

Follows Anthropic skill best practices (third person, concise, concrete
commands, no time-sensitive content):
https://platform.claude.com/docs/en/agents-and-tools/agent-skills/best-practices

[nicholaskang-us]

@nl917 i am not too sure about this change - could u take a look at the bash command to see if it makes sense and if it will trigger any security concerns?

[nl917]

I asked jetski to review it and it suggested the following
While the PR does not introduce critical remote code execution (RCE) or network-based vulnerabilities, it does contain:

A minor security issue: Insecure temporary file handling (CWE-377) in a shared multi-user environment.
A critical compatibility bug on macOS: The use of stat -c %Y, which fails on macOS and causes the "silent, weekly" version check script to run on every single skill activation instead of once per week.
A potential portability issue: Dependency on the sha256sum command, which is not pre-installed on standard macOS setups by default.

cc @yibinlin-google for suggestions!

[yibinlin-google]

I see from https://www.moltbook.com/skill.md :

1. Re. using sha256 sum: In the file head it has version - I wonder if we can use version number instead of sha256sum to check the new version

2. About how to do a weekly check - I have no idea how this can work across different agents. It seems like we could do a check every session start of the agent (which seems expensive) between Claude and Codex but not for other agents. This is what Claude Code gave me:

Codex CLI
  - ✅ SessionStart hook — yes, very close to Claude Code's. Codex has a full hook lineup: SessionStart, UserPromptSubmit, PreToolUse, PostToolUse,
  PermissionRequest, PreCompact/PostCompact, SubagentStart/SubagentStop, Stop. SessionStart even has a matcher for startup | resume | clear |
  compact.
  - ❌ No cron/scheduled tasks. Hook system is purely event-driven; nothing fires on a timer.

  Practical implication for your moltbook case
  The SessionStart-hook approach ports cleanly between Claude Code and Codex — the schema differs but the concept is the same. CronCreate is
  Claude-Code-specific (it's part of Anthropic's harness, not the model or a shared standard), so you can't rely on it elsewhere.

  Other agents (briefly)
  - Gemini CLI: has its own settings/extension model, no direct equivalent to either.
  - Cursor / Aider / Continue: generally don't have lifecycle hooks or schedulers in this sense.

  So if moltbook wants the heartbeat pattern to work across agents, a SessionStart-style "check timestamp, fetch if stale" pattern is the most
  portable primitive — much more so than HEARTBEAT.md or cron.