ClawHub

Gamified Habits

Security checks across malware telemetry and agentic risk

Overview

This local habit tracker is mostly purpose-aligned, but it needs review because it stores account-linked personal habit data and does not safely constrain local file paths.

Review before installing. This skill appears to be a local gamified habit tracker, but it records behavioral history and diary content on disk using account-derived identifiers. Avoid untrusted or path-like --user/environment values, do not share whoami output or bundled data directories, and consider clearing packaged sample/user data before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The whoami/debug command prints channel, account identifier, full user ID, and the local storage path. That unnecessarily exposes sensitive identity and filesystem metadata, which can aid user enumeration, privacy violations, and targeted abuse, especially in shared chat or multi-tenant agent environments.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The test command is exposed in the production CLI and performs state-changing actions such as creating a habit and checking it in. In an agent-integrated context, this can be triggered accidentally or maliciously to corrupt user data, generate misleading records, or interfere with normal operation.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The XP/status module performs diary generation and persistence, which expands behavior beyond the declared habit-tracking/gameification scope. Scope creep is security-relevant because users and reviewers may not expect this module to create additional user content on disk, increasing privacy and data-handling risk.

Scope Creep

High
Confidence
96% confidence
Finding
The code calls diaryGenerator.saveDiary() and readDiary(), indicating file persistence behavior despite the skill metadata declaring only exec permission. This mismatch is dangerous because it can cause undeclared local data storage of potentially sensitive habit and diary information, violating least privilege and user expectations.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The listed natural-language triggers are very broad everyday phrases like '我起床了' and '打卡', which can easily appear in normal conversation unrelated to an intentional skill invocation. In an agent skill with exec permission, ambiguous activation increases the chance of unintended command execution or unexpected state changes such as creating records or modifying habit data.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The PRD says natural-language expressions like '我起床了' or '跑了 5 公里' will map to habits, but it does not define scope limits, disambiguation rules, or confidence handling. This makes accidental or incorrect matches plausible, which is risky because the skill can persist data and may be wired to executable actions.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The document specifies persistent local storage of user behavior data in a fixed path, but does not mention user-facing notice, consent, retention, or deletion expectations. Habit histories, timestamps, and attributes can reveal sensitive behavioral patterns, so silent storage creates privacy and transparency risk even if data remains local.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The natural-language examples are generic everyday phrases like “我起床了” and “我跑步了”, which can plausibly occur in ordinary conversation and unintentionally trigger state-changing actions such as check-ins. Because the skill has exec permission and persists user data, accidental activation can modify records without clear user intent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill describes automatic user identification and local JSON persistence but does not present a clear warning or consent-oriented notice to users. This creates a privacy and transparency issue: users may not realize account identifiers are being used to segregate data or that habit history is stored locally across sessions.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation explicitly states that user identity is derived from channel and account ID and shows those identifiers embedded directly in per-user filenames. Storing platform account IDs in filenames increases privacy exposure because identifiers may be revealed through directory listings, backups, logs, screenshots, or accidental file sharing, and the README does not mention minimization, hashing, or access controls.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The code constructs a persistent filename from channel and account identifiers and writes it under the user's home directory, which can expose sensitive account metadata to anyone with local access or backup/log visibility. While not remote code execution, it creates avoidable privacy leakage and makes correlation of a user's identities across channels easier.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The text states that data is automatically saved without disclosing what is stored, for how long, or where it is persisted. In a habit-tracking skill, stored records can reveal sensitive behavioral and lifestyle information, so lack of transparency can undermine informed consent and create privacy risk even if no exploit code is present in this file.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal