ClawHub
Back to skill
v1.0.1

Huckleberry

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:52 AM.

Analysis

Huckleberry is a coherent instruction-only CLI guide for baby tracking, with disclosed but sensitive use of an unofficial package and Huckleberry account credentials.

GuidanceBefore installing, remember this is an unofficial Huckleberry CLI. Verify the package source, authenticate only if you trust it, and double-check child name, activity type, amounts, units, and measurements before running logging commands.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
> **Note:** This is an unofficial tool and is not affiliated with Huckleberry. ... `pip install huckleberry-cli`

The skill asks the user to install an external, unofficial CLI package; this is disclosed and central to the skill, but package provenance and version pinning are not provided in the artifacts.

User impactYou would be trusting a third-party package to run locally and interact with a baby-tracking account.
RecommendationInstall only if you trust the package source; consider verifying the package, version, and dependency provenance before authenticating.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
`huckleberry sleep stop`, `huckleberry feed bottle <amount>`, `huckleberry diaper both`, `huckleberry growth --weight=7.5`

These commands save baby-tracking records to the Huckleberry account; they are purpose-aligned but mutate personal account data.

User impactIncorrect child names, amounts, units, or measurements could create inaccurate baby-care records.
RecommendationUse these commands only for explicit user requests and confirm child, activity type, amount, units, and timing before logging.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Config stored at `~/.config/huckleberry/config.json`. ... `HUCKLEBERRY_EMAIL` ... `HUCKLEBERRY_PASSWORD`

The CLI requires Huckleberry account authentication and can persist account configuration locally; this is expected for the stated purpose but involves sensitive credentials.

User impactThe CLI can access the user's Huckleberry account and child-related profile or tracking data.
RecommendationAuthenticate only if you trust the CLI, avoid storing passwords in shell history or shared profiles, and protect the local config file.