ClawHub

Habit AI

v1.2.0

Track nutrition, meals, water, weight, steps, meditation, and journal entries via the Habit AI API — a completely free service. Use when logging food, checki...

0· 425·2 current·2 all-time
by@habitclaw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included endpoints and instructions: the skill is a wrapper for the Habit AI REST API (meals, water, weight, steps, coaches, journal). However the SKILL.md expects an API key in HABITAI_API_KEY even though the registry metadata lists no required env vars — this mismatch is unexpected and should be declared.
!
Instruction Scope
Instructions tell the agent to call GET /profile and POST /meals and otherwise stay within the Habit API, which is appropriate. However the guide explicitly says not to call the built-in /analyze/ endpoints and instead use the agent's own vision/language capabilities to analyze photos/descriptions and compute nutrition (including using 'USDA data'), without providing data sources or safeguards. That raises privacy and scope concerns (where images are processed, what external data is used, and how accurate nutrition calculations are derived).
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal filesystem or execution risk. This is the lowest install risk category.
!
Credentials
SKILL.md instructs the user to export HABITAI_API_KEY and use it for Authorization, but the registry metadata lists no required env vars/primary credential. The skill should declare HABITAI_API_KEY as a required/primary credential. Other than that single API key, no unrelated credentials are requested.
Persistence & Privilege
The skill does not request 'always: true' nor install components or modify other skills. It does allow normal autonomous invocation (platform default), which is expected and not in itself a red flag.
What to consider before installing
This skill appears to be a straightforward Habit AI API integration, but take these precautions before installing or using it: - Ask the publisher to declare HABITAI_API_KEY in the skill metadata (it currently isn't listed) so platform/permissions are clear. - Confirm where images will be processed: the SKILL.md tells the agent to analyze photos itself rather than using Habit AI's /analyze endpoints. Ask whether image data will be kept locally or transmitted elsewhere, and insist on explicit handling rules and user consent for image exposure. - Ask how USDA nutrition data is accessed or referenced — the skill asks you to 'use USDA data' but provides no data source or model instruction; verify accuracy expectations. - Because the skill source is unknown and homepage absent, treat the API key as sensitive: only provide a key with restricted scope/ability or use a throwaway key if testing. Revoke or rotate keys after evaluation. - Prefer a version that explicitly declares required env vars and documents privacy and data flow (where images or personal health details are sent and stored). If the publisher can clarify and fix the metadata (declare HABITAI_API_KEY) and explain the rationale for avoiding built-in analyze endpoints and for image handling, the inconsistencies would be resolved and the skill would be more trustworthy.

Like a lobster shell, security has layers — review code before you run it.

latestvk979fcd3ntvjjk0jg9kp3rna1182e54t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments