Knowledge Habit Skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The application that actually runs may differ from what was reviewed, and npm installation can execute code from the downloaded project or its dependencies.
If the packaged tracker directory is absent, the installer fetches the latest external repository and installs its dependencies. That runnable code is not included in the reviewed artifacts and is not pinned to a commit or release.
git clone https://github.com/puppetcat-fire/knowledge-habit-tracker.git "$TRACKER_DIR" ... npm ci --silent 2>/dev/null || npm install --silent
Review the upstream repository before installing, pin the installer to a specific commit or release, include the tracker source and lockfile in the package, and declare git/network installation behavior in metadata.
The desktop app may stay visible across applications and reserve global keyboard shortcuts.
Desktop mode is disclosed as using an always-on-top floating timer and global shortcuts. This is purpose-aligned, but it affects the user's desktop environment while running.
全局悬浮窗:始终置顶的计时窗口,跨软件可见 ... Ctrl+Shift+T:显示/隐藏悬浮窗 ... Ctrl+Shift+H:唤起主窗口
Use desktop mode only if you are comfortable with the floating overlay and shortcuts; otherwise use the web mode and close the app when finished.
Private habit and work-history data can persist in browser storage, backup files, or local log directories.
The skill stores habit records, event history, timer state, backups, and optional feedback logs locally. This is expected for the tracker, but the data may contain private work habits and context.
事件记录 | 浏览器localStorage | 无自动同步 ... JSON备份 | 用户指定文件 ... 反馈日志 | 服务端data/目录 | 仅当服务启动时
Treat exported backups and local logs as private, avoid using the tracker on shared machines without clearing data, and verify where the downloaded app writes files.