ClawHub

Habit Flow

Security checks across malware telemetry and agentic risk

Overview

HabitFlow is mostly a coherent habit tracker, but it needs Review because it can create persistent scheduled messages to external or last-used chat channels and contains a real shell-command injection risk in reminder syncing.

Install only if you are comfortable with local habit data being stored under ~/clawd/habit-flow-data and reminders/coaching being sent through your chat integrations. Before enabling reminders or coaching, inspect the cron jobs, bind delivery to an explicit recipient/channel, and avoid syncing reminders from untrusted habit names or custom messages until the shell-command construction is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documentation instructs the agent to configure and run proactive coaching via cron jobs that automatically send messages without user prompting, but this autonomous outbound behavior is not properly disclosed in the manifest. Hidden scheduled outreach is risky because it can continue after the immediate interaction and message the user's last active channel or other configured destinations without fresh confirmation.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The skill advertises scheduled reminders via WhatsApp, but the manifest does not clearly disclose WhatsApp-specific outbound delivery. This matters because WhatsApp messaging implies use of external communication channels and potentially sensitive contact/routing data, which users may not expect from a generic habit tracker description.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation describes a proactive coaching system that autonomously sends messages to external chat channels via cron and `--deliver`, which expands the skill from user-invoked habit tracking into scheduled outbound communication. That creates a real security and privacy concern because messages may be sent without an in-the-moment user action, increasing the chance of unwanted disclosure of sensitive habit data.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The cross-channel delivery design allows coaching content to be sent over WhatsApp, Telegram, Discord, Slack, and similar platforms based on prior activity rather than an explicit per-send choice. In a habit-tracking context, these messages can reveal sensitive behavioral or wellness information across platforms, so the capability is broader and riskier than necessary for the stated function.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The guidance explicitly tells the reminder handler to use every available notification channel, which can cause the same reminder content to be propagated across multiple surfaces beyond the user's expected delivery path. In a habit tracker, reminders may reveal sensitive behavioral or health-adjacent information, so broad multi-channel fanout increases the chance of unintended disclosure to other devices, shared workspaces, or recipients.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The installation guide advertises optional WhatsApp notifications without any privacy or data-sharing warning. If enabled, users may unknowingly send habit data, reminders, or personal behavioral information through a third-party messaging channel, creating consent and privacy risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises WhatsApp reminders and scheduled notifications but does not disclose that reminder content and metadata may be transmitted through an external messaging service. Users may enable the feature without understanding privacy implications, especially since habit data can reveal sensitive health, wellness, or behavioral information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to run cron synchronization without warning that this creates persistent scheduled jobs on the host system. Automated jobs can continue running unexpectedly, affecting privacy, system behavior, and operational safety if users do not realize they are installing background automation.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The activation guidance includes broad, everyday phrases such as health or routine-related statements that may appear in normal conversation outside a clear request to use the skill. Over-broad triggers can cause unintended activation, leading to unrequested parsing, logging, reminder setup, or coaching actions involving personal behavioral data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes automatic proactive messages and cron-based scheduling but does not provide a strong, user-facing warning that autonomous outreach may be sent to selected or last active channels. This is dangerous because the system can contact external endpoints asynchronously, potentially exposing habit data or generating unwanted messages without immediate user awareness.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation phrases are broad enough to overlap with ordinary conversation such as 'I meditated today' or 'Help me track my daily reading.' In an agent environment, this can cause unintended invocation of the skill and processing of user messages or side effects like logging or reminders when the user did not explicitly intend to use this skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation describes a workflow that automatically delivers coaching messages and generated visualizations to a user's messaging channels, but it does not mention explicit user consent, outbound messaging controls, or safeguards around what data is included in those messages. In a habit-tracking skill, these messages may reveal sensitive behavioral or wellness-related data across third-party platforms, creating privacy, compliance, and unintended disclosure risks if delivery is misconfigured or overly broad.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The documented activation phrases are very broad, everyday statements like habit-related intents that could easily appear in normal conversation without an explicit request to invoke the skill. In a messaging or assistant environment, this can cause unintended skill activation and downstream state-changing actions such as logging habits or exposing progress data when the user did not mean to use HabitFlow.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that reminder replies like "done" / "skipped" / "missed" are logged automatically, but it does not mention a user warning, consent flow, or verification before modifying stored records. This creates a risk of unintended or spoofed data changes from short ambiguous replies, especially in chat contexts where users may not realize they are performing a write action.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document proposes a multi-user WhatsApp bot that stores user data in per-phone-number directories on the server, but this file is design-focused and does not show any clear user-facing notice, consent flow, or retention/deletion policy for external users. In a habit-tracking context, phone numbers and habit logs are personal data, so silent collection/storage increases privacy and compliance risk, especially if later implemented as described.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Sending to the 'last active channel' without a prominent warning or confirmation introduces a realistic risk of misdelivery to an unintended recipient or shared/work channel. Because coaching messages may include streaks, risks, and other personal habit insights, accidental delivery can leak private information even if the system behaves as designed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installer explicitly states that initialization will set up cron jobs, but it does so non-interactively and without obtaining user consent or clearly presenting what scheduled tasks will be created. Modifying persistent system scheduling during install increases risk because it creates ongoing execution paths that may surprise users, expand attack surface, or be abused if the scheduled task or its target script is later altered.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation exposes a command that can actually send proactive coaching messages via `--send` but does not clearly warn that this performs outbound communications. In an agent skill context, users or downstream agents may treat examples as safe to run, which can lead to unintended notifications, privacy issues, or spam-like behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation describes commands that sync reminders to cron and includes `--auto-fix` behavior without prominently warning that system scheduler state may be created, modified, or removed. In a tool-executing agent environment, this can cause persistent background jobs to be installed or altered unexpectedly, affecting host integrity and creating ongoing execution beyond the immediate task.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example encourages automatic habit logging immediately after NLP parsing, which can modify a user's records without an explicit confirmation step or warning that data will be written. In a habit-tracking context, silent state changes can create inaccurate logs, inflate streaks, and undermine user trust, especially when parsing is imperfect or ambiguous.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The reminder example states that notifications will be sent to the user's last active chat channel, including external platforms like WhatsApp, without showing any consent, channel verification, or privacy notice. This can expose sensitive behavioral or wellness information through unintended channels or shared devices/accounts.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document normalizes sending reminders to the last active channel or a configured phone number without warning about recipient mismatch, stale channel context, or privacy exposure. Because habit reminders can contain personal routines and status information, sending to an implicitly selected destination can disclose sensitive data to an unintended chat, device, or person.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instruction to maximize visibility by using every available notification channel lacks any privacy boundary or user warning, effectively encouraging over-distribution of reminder content. In this skill context, reminders and follow-up responses like done/skipped/missed can expose intimate behavioral data across multiple apps and devices, increasing both accidental disclosure and confusion about where sensitive data is sent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly describes automated coaching that initiates without user prompts and is driven by cron jobs, but it does not prominently warn that users may receive messages automatically. In a habit-tracking context, unexpected outbound messages can violate user expectations, create privacy concerns on shared devices or channels, and lead to unwanted or excessive contact if enabled without clear consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The usage section shows a live `--send` mode immediately after dry-run examples, but does not clearly label it as an action that will actually transmit messages to users. This increases the risk of accidental live messaging during testing or administration, which can cause unintended user contact, spam-like behavior, or disclosure of habit-related information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal