Habitica

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Habitica CLI skill that can change Habitica account state, so it is acceptable but should be used with care.

Install only if you are comfortable giving an agent a Habitica API token that can read and modify your Habitica account. Keep ~/.habitica private, do not commit or share it, and ask for confirmation before delete, party-send, quest-accept, cast, cron, or bulk scoring actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill exposes shell-based execution capabilities but does not declare permissions, which weakens review-time transparency and makes it harder for users or platforms to understand what the skill can do. In this context, the shell capability is used to invoke a CLI that performs authenticated API actions, so undeclared execution power increases the chance of unintended or insufficiently reviewed account-impacting operations.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The declared description frames the skill as a basic task-management integration, but the documented behavior extends into broader account data access and sensitive state-changing actions such as reading party chat, sending messages, accepting quests, casting skills, and forcing cron. This mismatch is dangerous because users may authorize or invoke the skill expecting limited task operations while it actually has much wider read/write reach over their Habitica account and social data.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill exposes broad Habitica account-management features far beyond the declared habit-tracking purpose, including inventory, achievements, party, guild, skills, quest, and cron operations. This scope expansion increases the attack surface and enables actions on unrelated account areas that a user would not reasonably expect from a task-tracker integration.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script can read party details and chat history and can send party messages, which introduces access to and transmission of third-party social data unrelated to habit tracking. In an agent setting, this creates unnecessary privacy risk and a path for unintended disclosure or manipulation of group communications.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill can cast class skills, accept quest invitations, and run cron, all of which change account or party state without fitting the stated task-tracking scope. These actions can affect gameplay resources, quest participation, and daily progression, making them risky if triggered accidentally, via prompt confusion, or by an over-privileged agent.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger list includes broad everyday phrases such as Chinese terms for habits, to-dos, and daily tasks, as well as generic requests to check off tasks. Overbroad triggers can cause unintended activation in normal conversation, which is especially risky here because the skill supports authenticated read/write operations against a real user account.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill documents destructive and state-changing commands like score, update, delete, cast, quest acceptance, chat send, and cron without any warning or confirmation guidance. Because these commands can alter account state, social interactions, and game progression, omission of safeguards increases the risk of accidental or unauthorized actions from ambiguous prompts or mistaken activation.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The setup instructions tell users to place a user ID and API token in a local file without any warning that these are sensitive credentials granting account access. This is dangerous because users may store tokens insecurely, expose them through backups or logs, or share the file accidentally, enabling unauthorized reads and writes to their Habitica account.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Task deletion is destructive and irreversible from the user's perspective, yet the command performs the DELETE request immediately with no warning, preview, or confirmation. In an agent workflow, a malformed ID, hallucinated instruction, or prompt-injected request could cause unintended data loss.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: Quest acceptance changes account and party participation state but is performed automatically once RSVPNeeded is true, without a user disclosure or confirmation step. Although narrower than deletion, it can still commit the user to an in-game action they did not explicitly authorize.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal