Habit Tracker Pro
PassAudited by ClawScan on May 10, 2026.
Overview
This is a simple instruction-only habit tracking skill with no code or credential access, though users should verify the documented installer and minor dependency metadata.
This skill appears benign based on the provided artifacts. Treat it as an instruction-only habit tracker, verify the installer source before running the README command, and ask why curl is listed in metadata if you do not expect network tooling to be required.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user follows the README, they will run the current ClawHub installer from npm; this is expected but should come from a trusted source.
The documented installation command uses the latest published clawhub package. This is a normal user-directed setup step, but it means installation depends on the current package served by the registry rather than a pinned version.
npx clawhub@latest install habit-tracker-pro
Install only from the official ClawHub/npm source and pin or verify installer versions if reproducible installation is important.
The skill may appear to require a network-capable command-line tool even though the supplied instructions do not need it.
The included metadata declares a curl dependency, but the visible README/SKILL instructions do not explain or use curl. Because there is no code or install spec showing curl execution, this is a transparency note rather than evidence of unsafe behavior.
"requires":{"bins":["curl"]}Before installing, confirm whether curl is actually required and why; remove or clarify the dependency if it is unnecessary.