Beaver Habit Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Beaver Habits helper that uses your API token to read and update habit completion records.

Install only if you are comfortable giving the skill a Beaver Habits API token that can read and update your habit data. Keep SERVER_URL unset or set only to a trusted self-hosted Beaver Habits instance, and double-check habit names and dates before asking the agent to mark habits done or undone.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill documents a state-changing action that can mark habits done or undone, but it provides no guidance to require explicit user confirmation before performing the write. Because habit names are resolved automatically and writes default to done=true and today's date, an agent could incorrectly modify the user's records based on an ambiguous request or mistaken match.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal