Habit Tracker Pro
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user follows the README, they will run the current ClawHub installer from npm; this is expected but should come from a trusted source.
The documented installation command uses the latest published clawhub package. This is a normal user-directed setup step, but it means installation depends on the current package served by the registry rather than a pinned version.
npx clawhub@latest install habit-tracker-pro
Install only from the official ClawHub/npm source and pin or verify installer versions if reproducible installation is important.
The skill may appear to require a network-capable command-line tool even though the supplied instructions do not need it.
The included metadata declares a curl dependency, but the visible README/SKILL instructions do not explain or use curl. Because there is no code or install spec showing curl execution, this is a transparency note rather than evidence of unsafe behavior.
"requires":{"bins":["curl"]}Before installing, confirm whether curl is actually required and why; remove or clarify the dependency if it is unnecessary.