Back to skill
Skillv1.0.0
ClawScan security
Track · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 10, 2026, 6:44 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's stated features and runtime instructions claim many scripts and modules, but the package only contains a single local logging script — behavior is benign-looking but the missing files and minor path mismatch make the package internally inconsistent.
- Guidance
- This package appears to implement only a basic local habit-logging script while advertising a much larger tracking system. Before installing: (1) ask the publisher for the missing scripts and reference files (view_trends.py, update_goal.py, check_streaks.py, etc.) and review them for network calls or credential use; (2) confirm you are comfortable with data being stored under ~/.openclaw/workspace/memory/track (hidden folder in your home) or change the path to a location you control; (3) inspect any future versions for added install steps or downloads — adding external dependencies is where risk usually appears; (4) if you only need simple local logging, this single script looks harmless, but do not install or enable it expecting full goal/visualization features until the other components are provided and reviewed.
Review Dimensions
- Purpose & Capability
- noteThe name/description (habit/goal tracking, visualization, reminders) matches the included track_habit.py which logs habit entries locally. However the SKILL.md promises multiple other scripts (update_goal.py, view_trends.py, check_streaks.py, create_habit.py, set_goal.py, export_data.py) and reference files (references/*.md) that are not present. The single script can legitimately support basic logging, but the larger advertised feature set is not implemented here.
- Instruction Scope
- concernRuntime instructions reference multiple scripts and a storage location 'memory/track/' while the included script writes to ~/.openclaw/workspace/memory/track. The instructions do not direct reading of unrelated files or network calls, but they assume many scripts and reference docs that are missing — this is scope creep and makes the runtime behavior unclear.
- Install Mechanism
- okNo install spec — instruction-only with one bundled script. Nothing is downloaded or written to system locations beyond creating a directory in the user's home; this is low-risk from an install perspective.
- Credentials
- okNo environment variables, no credentials, and the script operates on local files only. Requested permissions are proportional to a local habit-logging tool. The script writes to a path under the user's home (~/.openclaw/workspace/memory/track).
- Persistence & Privilege
- okSkill is not marked always:true, does not modify other skills, and contains no autonomous persistence mechanisms. It simply creates and writes JSON files to a local directory.