Skillv1.0.0

ClawScan security

Habit Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 12, 2026, 3:33 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and behavior line up with a local CLI habit tracker: it reads/writes JSON under ~/.config/habit-tracker, has no network calls or credential requests, and its instructions match the contained code—however, the provided source listing was truncated so review the full script before trusting it completely.
Guidance: This skill is internally consistent with being a local Node.js CLI habit tracker: it stores data under ~/.config/habit-tracker and does not ask for credentials or make network calls in the visible portion. Before installing or running it, (1) inspect the full scripts/habit-cli.js file (the provided listing was truncated in the review input) to confirm there are no hidden network calls or suspicious behavior, (2) ensure you have Node.js >=18 as declared, (3) be aware it will create and modify files in ~/.config/habit-tracker so set appropriate file permissions if you care about privacy, and (4) only add cron entries if you understand the exact path/command they will run. If you want higher assurance, run the script in a controlled environment (container or VM) first.

Purpose & Capability: okName/description (CLI habit tracking, logging, stats, reminders) matches the included package.json and CLI script. The files, CLI commands, data storage path, and suggested cron usage are appropriate for this purpose.
Instruction Scope: okSKILL.md only instructs running the local Node.js script, managing habits, and optionally adding cron jobs for reminders/reports. The instructions reference only the local data directory (~/.config/habit-tracker) and expected CLI arguments; they do not request unrelated files, credentials, or external endpoints.
Install Mechanism: okNo install spec is declared (instruction-only), and package.json has no dependencies. The CLI is implemented as a Node.js script that the user runs directly. There are no downloads or external install URLs, which minimizes install risk.
Credentials: okNo environment variables, credentials, or config paths are requested. The script only uses the user's home directory to store habit data, which is proportional to its functionality.
Persistence & Privilege: noteThe skill writes persistent data to ~/.config/habit-tracker (habits.json and logs.json), which is expected. always is false and autonomous invocation is allowed by platform default. This local persistence is normal for a CLI tool but you should be aware data is stored on disk.