Habit AI
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward Habit AI integration, but it uses an API key to read and write sensitive health, nutrition, profile, and journal data with an external service.
Before installing, be aware that this skill is meant to send and store personal health and journal data in Habit AI. Keep the API key private, revoke it if you stop using the skill, and ask the agent to confirm before updating profiles, deleting entries, or making other account-changing requests.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent action using this key can access and modify the user's Habit AI data according to the API permissions.
The skill requires a bearer API key that grants access to the user's Habit AI account. This is expected for the integration, but the registry metadata lists no primary credential or required environment variable.
Store key in environment: `export HABITAI_API_KEY="hab_..."` ... Auth header: `Authorization: Bearer $HABITAI_API_KEY`
Store the API key securely, revoke it if no longer needed, and review any agent-requested account changes before allowing them.
Private wellness, nutrition, weight, profile, and journal information may be stored and processed by Habit AI.
The documented API sends journal content and health history to an external provider and allows coach endpoints to use that stored history.
POST /journal ... Required: `content` ... POST /coaches/eating ... access to user's meal history, goals, and patterns.
Use the skill only if you are comfortable sending this type of personal data to Habit AI, and avoid logging especially sensitive journal content unless needed.
Accidental or overly broad agent actions could update profile details, delete logs, delete journal entries, or revoke API keys.
The API reference includes account mutation and deletion operations. These are coherent for a tracking app, but they can change or remove user data.
PUT /profile ... Update profile fields ... DELETE /meals/:id ... DELETE /journal/:id ... DELETE /keys/:id
Confirm destructive or account-changing operations explicitly, especially profile edits, deletes, and API key changes.