ClawHub

Habitica

Habitica gamified habit tracker integration. Use for listing/creating/completing habits, dailies, todos, and rewards. Trigger on "habitica", "习惯", "待办", "日常任务", or requests to check off tasks.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 1.9k · 0 current installs · 0 all-time installs
by@TONYUNTURN
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description match the included script: the code calls Habitica's API and exposes list/create/score/update/delete and user/party endpoints — this is coherent with a Habitica integration. However, the registry metadata declares no required credentials while both SKILL.md and scripts expect HABITICA_USER_ID and HABITICA_API_TOKEN (or a ~/.habitica file). That metadata omission is inconsistent and should be corrected.
!
Instruction Scope
SKILL.md and the script instruct the agent to load credentials from ~/.habitica using 'source'. Sourcing a user file executes any shell code in it, not only variable assignments, which is a risk. The SKILL.md also recommends spawning 'sub-agents' for batch operations; that lets the skill perform multi-call background work autonomously and could widen the blast radius if credentials are compromised. The script's network calls are all to habitica.com, which is expected.
Install Mechanism
There is no remote install/download step and no third-party packages fetched at install time — the skill is provided as local shell script(s) and docs. This limits supply-chain risk. The script does assume availability of curl and jq at runtime but does not declare them in the skill metadata.
!
Credentials
The functionality legitimately requires Habitica credentials (HABITICA_USER_ID and HABITICA_API_TOKEN), but the skill metadata lists no required env vars or primary credential. That mismatch is problematic: users and automated systems won't be warned that secrets are needed. Also, the recommended storage location (~/.habitica) is sourced by the script, increasing risk if the file contains more than simple assignments. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request 'always: true' and does not appear to modify other skills or system-wide settings. However, the SKILL.md explicitly suggests spawning sub-agents for background/batch tasks; while not inherently malicious, background execution increases the surface area and should be considered before granting autonomous invocation.
What to consider before installing
Things to consider before installing or using this skill: - Metadata mismatch: the skill does not declare required env vars, but you must provide HABITICA_USER_ID and HABITICA_API_TOKEN (SKILL.md and script expect them). Ask the publisher to add these to the skill metadata so automated systems and users are aware secrets are required. - Credential storage: the README says to put credentials in ~/.habitica and the script 'sources' that file. 'source' will execute any shell code in the file, not just read variables. If you use a file, make it contain only plain assignments (HABITICA_USER_ID=... HABITICA_API_TOKEN=...) and set tight file permissions (chmod 600). Alternatively, set the two variables in the environment rather than using a sourced file. - Background/sub-agent guidance: the skill suggests spawning sub-agents for batch operations. That allows the skill to make multiple API calls in the background — avoid enabling autonomous execution unless you trust the skill and its owner. - Review the script: it appears to call only Habitica's API (https://habitica.com/api/v3), which matches purpose. Still, inspect scripts/habitica.sh yourself (it's included) to confirm there are no unexpected endpoints or commands. - Runtime dependencies: the script uses curl and jq but the skill metadata does not list them. Ensure your environment has these binaries before use. If you don't trust the skill's publisher or can't verify the script, do not provide your Habitica API token. Request that the publisher update the skill metadata to declare required credentials and clarify the background execution behaviour.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.3
Download zip
latestvk972btae2de5bkevwck1wtjrc580emfj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Habitica Skill

Full-featured CLI for Habitica's gamified task manager.

Setup

Credentials in ~/.habitica:

HABITICA_USER_ID="your-user-id"
HABITICA_API_TOKEN="your-api-token"

Get from: Habitica → Settings → Site Data → Show API Token

Commands

Tasks

./scripts/habitica.sh list [habits|dailys|todos|rewards|all]
./scripts/habitica.sh create <type> "text" ["notes"]
./scripts/habitica.sh score <task-id> [up|down]
./scripts/habitica.sh update <task-id> --text "new" --notes "new"
./scripts/habitica.sh delete <task-id>

User & Stats

./scripts/habitica.sh user          # Basic stats
./scripts/habitica.sh stats         # Full stats (STR/INT/CON/PER)

Collections

./scripts/habitica.sh pets          # Your pets
./scripts/habitica.sh mounts        # Your mounts
./scripts/habitica.sh achievements  # Achievement list
./scripts/habitica.sh inventory     # Eggs, potions, food, quest scrolls

Party & Social

./scripts/habitica.sh party         # Party info + chat
./scripts/habitica.sh party-chat 10 # Last N messages
./scripts/habitica.sh party-send "message"
./scripts/habitica.sh guilds        # Guild list

Skills (Class Abilities)

./scripts/habitica.sh skills        # List available skills
./scripts/habitica.sh cast <skill> [taskId]

Rogue: pickPocket, backStab, toolsOfTrade, stealth Warrior: smash, defensiveStance, valorousPresence, intimidate Mage: fireball, mpheal, earth, frost Healer: heal, healAll, protectAura, brightness

Quest

./scripts/habitica.sh quest         # Current quest status
./scripts/habitica.sh quest-accept  # Check and accept pending quest invitations

Other

./scripts/habitica.sh history [exp|todos]
./scripts/habitica.sh cron          # Force new day

Notes

  • Dailies use dailys (Habitica's spelling)
  • Task IDs are UUIDs from list output
  • Rate limit: 30s between automated calls

Background Execution (Sub-agents)

For batch operations (e.g., scoring multiple tasks) or slow operations, spawn a sub-agent to keep the main chat responsive.

Prompt Pattern:

Task: Habitica Batch Operation
- Score task 123 (up)
- Score task 456 (up)
- Create todo "New Task"
Report back briefly when done.

When to use:

  • User asks to complete >1 task at once
  • User asks for a summary/analysis that requires multiple API calls (e.g., "check all my tasks and tell me what to do")
  • Network latency is high

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…