习惯打卡

Security checks across malware telemetry and agentic risk

Overview

This is a local Chinese habit tracker that stores and edits its own habit data file on the user’s machine.

Install only if you are comfortable storing habit names, goals, notes, and check-in history in a local JSON file. Back up that file if the history matters, and use the delete command carefully because it removes records for that habit.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The markdown describes deleting habits and storing data in a persistent local JSON file, but it does not warn users that commands permanently modify retained personal data. This is dangerous because users may assume the tool is ephemeral, then unintentionally overwrite or delete tracking history without confirmation or backup expectations.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal