Habithero
v2.0.0Habit tracker with streak counting and visual calendars. Use when you need habithero.
⭐ 0· 222·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (habit tracker) align with the included script: the script implements many habit-tracking commands and stores data under $HOME/.local/share/habithero. No unrelated cloud credentials, binaries, or system paths are requested.
Instruction Scope
SKILL.md documents core commands (add, done, list, streak, calendar, help) but the shipped script implements a larger set (plan, track, review, export, stats, search, etc.). This is not malicious but is an inconsistency: the runtime behavior may offer more functionality than the documentation lists. All file and env access in the script stays within the data directory under the user's home.
Install Mechanism
There is no install spec (instruction-only), yet a runnable script is included. That is low risk, but the lack of installation guidance means an agent or user might need to place the script on PATH themselves — review how it will be executed before running it.
Credentials
The skill declares no required environment variables or credentials and the script does not attempt to read unrelated env vars. All persistent data is written to a directory under the invoking user's home, which is proportionate for a local tracker.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide configuration changes. It only writes to its own data directory under $HOME and does not modify other skills or global agent settings.
Assessment
This skill appears to be a local CLI habit tracker and is generally coherent, but before installing or running it: 1) Inspect the provided script (scripts/script.sh) yourself — it will create and write files under $HOME/.local/share/habithero. 2) Note the mismatch between SKILL.md (few commands) and the script (many commands); expect the extra functionality. 3) The export JSON routine does not escape user input, so exports can be malformed if you store arbitrary text; review exported files before sharing. 4) There is no network activity in the script, but if you plan to give an agent authority to run the skill autonomously, prefer running it in a controlled environment since it will execute shell commands and write files locally. 5) If you want to be extra safe, run the script in a sandbox or test account first.Like a lobster shell, security has layers — review code before you run it.
latestvk97ege6mepcqbq15b91zs3qqcn832s4t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.