Gamified Habits
v1.0.1游戏化习惯养成助手 - 用游戏化的方式培养好习惯,支持打卡、XP 升级、属性面板
⭐ 0· 143·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (gamified habits) align with the code and SKILL.md: modules implement habit creation, check‑in, XP, story/diary generation and local persistence. The skill asks for no cloud API keys and does not perform network calls, which is coherent for a local habit tracker. Minor note: SKILL.md and PRD mention both ~/.gamified-habits/user-data.json and ~/.openclaw/skills/gamified-habits/data/{user}.json; storage.js handles migration between these paths.
Instruction Scope
SKILL.md instructs execution (it includes 'permissions: - exec') and lists natural‑language triggers and CLI usage — consistent with the included bin/habits.js. The runtime instructions and code access environment variables (OPENCLAW_CHANNEL/ACCOUNT_ID, GAMIFIED_HABITS_USER, HOME) to identify users and read/write local files; that is proportionate to the stated multi‑user/local storage behavior. Pre-scan found a 'unicode-control-chars' prompt-injection pattern in SKILL.md — this is unusual and worth reviewing (the rest of the instructions are explicit and scoped).
Install Mechanism
No install spec or external downloads are declared. This is an instruction+code skill with all code bundled in the package. There are no remote URLs, package installs, or archives to fetch, which lowers installation risk.
Credentials
The skill declares no required env vars, but the code reads environment variables for user identification (OPENCLAW_CHANNEL / CHANNEL, OPENCLAW_ACCOUNT_ID / ACCOUNT_ID, GAMIFIED_HABITS_USER) and HOME for file paths. These are reasonable and necessary for per-channel/per-account storage and are proportional to its purpose. It does not request unrelated secrets or tokens.
Persistence & Privilege
The skill persists data to the user's home directory (SKILL_DIR under ~/.openclaw and a DATA_DIR) and will migrate and rename an old ~/.gamified-habits/user-data.json to a .bak when present. Persisting local JSON and creating directories/files is expected for this skill, but you should be aware it will modify user files and may rename an existing legacy file during migration.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contained unicode control characters identified by the scanner. This is not expected for a simple README/instruction file and can be used in prompt-injection attacks or to obfuscate content; review SKILL.md for hidden/zero-width characters before trusting inputs. The rest of the code appears straightforward and does not show corresponding malicious behavior.
Assessment
This skill appears coherent and implements a local, file-backed gamified habit tracker. Before installing, consider: 1) it will create/read files under your home directory (~/.openclaw/skills/gamified-habits/ and data files ~/.openclaw/skills/gamified-habits/data/{channel-user}.json) and may migrate/rename an older ~/.gamified-habits/user-data.json to a .bak — back up that file if it exists; 2) the skill reads environment variables (OPENCLAW_CHANNEL, OPENCLAW_ACCOUNT_ID, GAMIFIED_HABITS_USER, HOME) for user identification — these are expected but confirm you’re comfortable with per-channel data separation; 3) SKILL.md included a 'unicode-control-chars' scanner hit (possible prompt-injection/obfuscation); open SKILL.md in a plain text editor and inspect for invisible characters if you’re concerned; 4) the skill requires exec permission (it provides a CLI) but does not perform network calls or request external tokens. If you want extra assurance, run the skill in a sandboxed account or review/execute the code locally before enabling autonomous invocation.Like a lobster shell, security has layers — review code before you run it.
latestvk97cnw0v1h24a0qvprr4r9tcyd83mwa4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.