GrowthLoop – Plan & Habit Tracker
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: 28-day-goal-supervisor Version: 1.0.0 The OpenClaw AgentSkills skill bundle for the '28-day-goal-supervisor' habit tracker is classified as benign. All Python code files (`agent.py`, `models.py`, `reminder.py`, `store.py`, `visualizer.py`, `verify.py`) and markdown documentation (`SKILL.md`, `references/*.md`) are aligned with the stated purpose of a habit tracking application. Data persistence is handled locally using JSON files with file locking and atomic writes (`store.py`). There are no indications of intentional data exfiltration, unauthorized remote execution, persistence mechanisms, or malicious prompt injection attempts against the AI agent. The `SKILL.md` and `references/*.md` files provide instructions for the AI agent's persona and operational logic, but these instructions are self-referential to the skill's functionality and do not attempt to subvert the agent's core directives or access unrelated sensitive data. While any AI agent skill has inherent prompt injection risks if user input is not properly sanitized or if the agent misinterprets instructions, the provided code does not exhibit malicious intent in its design or implementation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The assistant may run the habit tracker’s local reminder check during ordinary conversations, not only after an explicit habit-tracking command.
The skill explicitly asks the agent to run a local Python reminder check on each conversation. This is narrow and related to reminders, but it is autonomous tool use.
**心跳检测(每次对话自动执行)**:调用 `python3 {baseDir}/agent.py remind --data-dir DATA_DIR` 或在代码中调用 `ReminderEngine.check_pending()`Install only if you want conversation-level habit reminders; avoid or disable the heartbeat behavior if you prefer strictly manual check-ins.
Private habit details, health goals, and progress notes may remain on disk and appear in future habit-tracking interactions.
The skill stores habit goals, check-ins, and rationalization dialogue persistently in a local JSON file, so user-entered personal text can be reused in later coaching or reminders.
所有数据存储在 `~/.openclaw/workspace/data/habit-tracker/habits.json`;每轮调用 `update_rationalization()` 记录对话
Do not put secrets in habit names or notes; review or delete `habits.json` and its backups if you want to clear stored habit history.
If you configure cron, curl, launchd, or another scheduler, reminders can continue being generated until that scheduler is removed.
The reminder engine supports scheduled triggering and persistent pending reminders. The artifacts do not show it installing a scheduler itself, so this is user-directed persistence rather than hidden background behavior.
curl 定时调用的入口 ... 生成提醒并写入 pending_reminders
Only configure scheduled reminders intentionally, and remove any cron/launchd/GitHub Actions setup if you no longer want automated habit prompts.
It may be harder to verify the publisher or track upstream changes.
The registry metadata does not provide a public source or homepage, which limits provenance verification even though the included code appears local and dependency-light.
Source: unknown; Homepage: none
Review the included Python files before installing and prefer trusted or auditable sources for skills that store personal data.