GrowthLoop – Plan & Habit Tracker
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The assistant may run the habit tracker’s local reminder check during ordinary conversations, not only after an explicit habit-tracking command.
The skill explicitly asks the agent to run a local Python reminder check on each conversation. This is narrow and related to reminders, but it is autonomous tool use.
**心跳检测(每次对话自动执行)**:调用 `python3 {baseDir}/agent.py remind --data-dir DATA_DIR` 或在代码中调用 `ReminderEngine.check_pending()`Install only if you want conversation-level habit reminders; avoid or disable the heartbeat behavior if you prefer strictly manual check-ins.
Private habit details, health goals, and progress notes may remain on disk and appear in future habit-tracking interactions.
The skill stores habit goals, check-ins, and rationalization dialogue persistently in a local JSON file, so user-entered personal text can be reused in later coaching or reminders.
所有数据存储在 `~/.openclaw/workspace/data/habit-tracker/habits.json`;每轮调用 `update_rationalization()` 记录对话
Do not put secrets in habit names or notes; review or delete `habits.json` and its backups if you want to clear stored habit history.
If you configure cron, curl, launchd, or another scheduler, reminders can continue being generated until that scheduler is removed.
The reminder engine supports scheduled triggering and persistent pending reminders. The artifacts do not show it installing a scheduler itself, so this is user-directed persistence rather than hidden background behavior.
curl 定时调用的入口 ... 生成提醒并写入 pending_reminders
Only configure scheduled reminders intentionally, and remove any cron/launchd/GitHub Actions setup if you no longer want automated habit prompts.
It may be harder to verify the publisher or track upstream changes.
The registry metadata does not provide a public source or homepage, which limits provenance verification even though the included code appears local and dependency-light.
Source: unknown; Homepage: none
Review the included Python files before installing and prefer trusted or auditable sources for skills that store personal data.