ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Xiao Habit Tracker

v1.0.0

习惯追踪器 - 习惯打卡、统计分析、成就系统

0· 31·0 current·0 all-time
by@kaising-openclaw1
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md shows runtime usage via a 'clawhub' CLI (clawhub habit add/checkin/stats), and README suggests installing via 'npx clawhub@latest install habit-tracker'. But the registry metadata at the top claimed no required binaries, while _meta.json lists 'curl'. The presence of 'curl' is not explained by the instructions and 'clawhub' (the actual runtime dependency) is not declared — the declared requirements do not match what the skill's docs say is needed.
Instruction Scope
The SKILL.md only instructs running the 'clawhub' CLI with habit-related commands (no direct file reads or env-var access). However, it gives no detail about where user data is stored or how '提醒通知'/'云同步' work — those likely involve network activity or external services invoked by the clawhub CLI, which the skill does not document.
!
Install Mechanism
There is no formal install spec in the skill bundle (instruction-only), but README recommends installing via 'npx clawhub@latest'. npx will download and run code from the npm registry; because there is no declared source or homepage and no package provenance, that introduces risk. Also _meta.json requiring 'curl' is unexplained.
Credentials
The skill declares no required environment variables or credentials (good), but feature descriptions (cloud sync, notifications, pricing tiers) imply backend services and possible credentials — none are declared or explained. That mismatch could hide required secrets or external endpoints.
Persistence & Privilege
The skill does not request persistent 'always' inclusion and has no install-time scripts in the bundle. As an instruction-only skill it cannot itself write files; however the external 'clawhub' CLI (which it calls) may create/configure local files — the skill bundle does not attempt to modify other skills or system settings.
What to consider before installing
This skill's files look like a simple habit tracker, but there are unexplained inconsistencies: the manifest lists 'curl', the docs expect a 'clawhub' CLI installed via npx, and there's no source or homepage to verify. Before installing or running commands: 1) Ask the publisher for the canonical source (GitHub or package page) and a homepage; 2) Verify the 'clawhub' npm package (maintainer, code, and network behavior) before running npx; 3) Confirm where habit data is stored and whether cloud sync requires credentials — do not provide secrets until you know the endpoint and auth method; 4) If you must test, run it in an isolated environment (VM or container) and monitor network traffic. If the publisher cannot justify the curl requirement or provide source code, treat this skill with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk972knewnwxcxp5w89d9zck66n85aekw
31downloads
0stars
1versions
Updated 17h ago
v1.0.0
MIT-0
@kaising-openclaw1
latest
Download

Habit Tracker

习惯追踪工具,帮助建立和保持好习惯。

功能

  • ✅ 习惯打卡
  • ✅ 统计分析
  • ✅ 成就系统
  • ✅ 提醒通知
  • ✅ 数据导出

使用

# 添加习惯
clawhub habit add --name "早起" --frequency daily

# 打卡
clawhub habit checkin --name "早起"

# 查看统计
clawhub habit stats --name "早起" --days 30

# 查看成就
clawhub habit achievements

定价

版本价格功能
免费版¥03 个习惯
Pro 版¥29无限习惯
订阅版¥6/月Pro+ 云同步

Comments

Loading comments...