Water Tracker
v1.0.1Auto-learns your hydration habits. Tracks water intake from casual mentions without precise measuring.
⭐ 3· 956·1 current·1 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the behavior (tracking hydration from casual mentions). However the skill metadata declared no required config paths, yet SKILL.md instructs the agent to create and maintain a persistent file at ~/water/memory.md in the user's home — that is a configuration/persistence requirement that was not declared. The storage behavior is plausible for the purpose, but the metadata/instruction mismatch is an inconsistency.
Instruction Scope
Instructions say to 'Absorb hydration mentions from ANY source (conversations, meal logs, exercise)'. That phrasing is very broad and could lead the agent to collect mentions from unrelated contexts. The skill also silently records correlations and preferences and is explicit about 'note increased needs silently' — building persistent, non-obvious profiles. The SKILL.md does not instruct reading system files or external credentials, but it does instruct persistent logging of user content without clear user-visible controls.
Install Mechanism
No install spec and no code files (instruction-only). This is low-risk from an installation/execution viewpoint — nothing is downloaded or compiled.
Credentials
No environment variables, binaries, or credentials are requested (appropriate). However, the skill writes a persistent file in the user's home directory (~/water/memory.md) even though no required config paths were declared in the metadata; this persistence is a data access/retention consideration that should have been declared.
Persistence & Privilege
The skill explicitly persists user-derived data to disk and promises 'Preferences now persist across skill updates.' While persistence itself is reasonable for a tracking skill, this is a durable retention of conversational content and inferred health signals in plain text under the user's home directory. The skill does not request always: true, but the combination of silent note-taking and durable storage raises privacy concerns and potential surprise for users.
What to consider before installing
This skill appears to do what it claims, but it will create and maintain a plain-text file at ~/water/memory.md containing inferred hydration data and patterns. Before installing, consider: (1) Are you comfortable with the agent persistently storing conversational content/health signals locally? (2) The metadata did not declare this config path — ask the publisher to explicitly declare storage behavior and where data is kept. (3) Request an opt-out or review mechanism (e.g., let you preview/approve entries, configurable storage location, automatic deletion). (4) If you proceed, periodically inspect ~/water/memory.md and consider placing it in an encrypted location or backing it up/clearing it if you do not want long-term retention. If you want stronger privacy guarantees, only enable the skill when explicitly invoked and avoid granting it access to other skill contexts you consider sensitive.Like a lobster shell, security has layers — review code before you run it.
latestvk977wkdy1zhjp0eed1jwcr6yrn816njj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.