HabitChat

Security checks across malware telemetry and agentic risk

Overview

HabitChat is mostly a coherent local habit tracker, but its reminder feature can generate executable shell scripts from unsanitized habit names, creating a command-execution risk if reminders are enabled.

Review carefully before installing. Basic tracking appears local and purpose-aligned, but avoid enabling reminders until the publisher escapes habit names safely. Do not use habit names containing quotes, backticks, dollar signs, semicolons, pipes, or command substitutions, and inspect any generated reminder script before adding it to cron.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill instructs the agent to execute shell commands and write persistent data under ~/.habitchat/, yet it declares no permissions. This creates a trust and consent gap: users or hosting platforms may believe the skill is low-risk while it can modify files, invoke Python, and potentially trigger OS-level reminder behavior.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The published description frames the skill as habit tracking and coaching, but the instructions also include reminder setup, platform-specific notification mechanisms, and broader lifecycle management actions. That mismatch can mislead users and reviewers about the true operational scope, especially because some actions persist state, integrate with the OS, or schedule future behavior.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation criteria include broad coaching and motivation language that can match ordinary conversation, causing the skill to activate outside clear user intent. In this skill, accidental activation is more concerning because activation can lead to shell-command workflows, local data creation, and changes to tracked habits.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The example trigger phrase 'coach me' is overly generic and likely to collide with normal assistant usage. Because this skill can initialize storage, manipulate habit records, and invoke scripts, a weak trigger increases the chance of unintended execution paths and user confusion.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal