ClawHub
Back to skill
v0.1.3

Habitica

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:16 AM.

Analysis

The skill is a coherent Habitica integration, but it uses a Habitica API token and can change account/task and party-chat state, so users should review its scope before use.

GuidanceBefore installing, confirm you are comfortable giving the skill a Habitica API token and allowing it to change tasks, score habits, delete tasks, and post party messages when asked. Keep the ~/.habitica file private and request confirmation for destructive, social, or bulk operations.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
./scripts/habitica.sh score <task-id> [up|down]
./scripts/habitica.sh update <task-id> --text "new" --notes "new"
./scripts/habitica.sh delete <task-id>
...
./scripts/habitica.sh party-send "message"
...
./scripts/habitica.sh cron          # Force new day

The skill exposes commands that can mutate Habitica tasks, post to party chat, accept quest actions, and force cron/new-day behavior. These are disclosed and generally aligned with a full Habitica CLI, but they can have visible account or social effects.

User impactMistaken or over-broad use could delete tasks, alter progress, post a party message, or change Habitica state.
RecommendationAsk the agent to show the intended task IDs/messages before destructive, social, or bulk actions, especially delete, party-send, quest, cast, and cron commands.
Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
For batch operations (e.g., scoring multiple tasks) or slow operations, spawn a sub-agent to keep the main chat responsive.

The instructions explicitly recommend delegating batch Habitica operations to a sub-agent. This is disclosed and bounded to Habitica tasks, but it increases the chance that multiple account mutations occur in the background without step-by-step visibility.

User impactBatch task updates could complete in the background before the user has reviewed each individual action.
RecommendationUse sub-agents only for clearly specified batches, and require a brief plan or confirmation before mutating multiple tasks.
Unexpected Code Execution
SeverityInfoConfidenceHighStatusNote
scripts/habitica.sh
if [[ -f "$CONFIG_FILE" ]]; then
        source "$CONFIG_FILE"
    fi

The script sources the credential file as shell code rather than parsing it as plain key/value data. This is a common shell pattern for config files, but it means commands inside that file would execute.

User impactIf ~/.habitica is modified by an attacker or contains unintended shell commands, those commands could run when the script loads credentials.
RecommendationKeep ~/.habitica limited to simple HABITICA_USER_ID and HABITICA_API_TOKEN assignments with restrictive file permissions.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/habitica.sh
CONFIG_FILE="${HABITICA_CONFIG:-$HOME/.habitica}" ... source "$CONFIG_FILE" ... -H "x-api-user: $HABITICA_USER_ID" ... -H "x-api-key: $HABITICA_API_TOKEN"

The script loads a local Habitica credential file and uses the user ID and API token for authenticated Habitica API calls. This is expected for the integration, but it grants account access and is not reflected in the registry credential declarations.

User impactAnyone using the skill must provide a Habitica API token that can access and modify their Habitica account.
RecommendationUse a dedicated Habitica token if available, keep ~/.habitica private, and revoke/regenerate the token if it may have been exposed.