AI-powered atomic habit tracker with natural language logging, streak tracking, smart reminders, and coaching. Use for creating habits, logging completions naturally ("I meditated today"), viewing progress, and getting personalized coaching.
Security Analysis
medium confidenceThe skill's code, docs, and runtime instructions are broadly consistent with an on-device habit tracker that reads/writes a local data directory and optionally creates cron reminders; a few metadata/install-description mismatches and minor documentation oddities warrant caution but do not indicate malicious intent.
The skill's name/description (habit tracking, NLP logging, reminders, coaching) match the included scripts, TypeScript source, and canvas visualization assets. The repo implements local JSON/JSONL storage, parsing, streak calculations, persona loading, cron/WhatsApp reminder sync, and visual dashboards — all reasonable for the declared purpose. Minor inconsistency: registry metadata states "No install spec — instruction-only" while SKILL.md includes a metadata.moltbot.install entry and the repo contains package.json and an INSTALL.md describing git clone + npm install. Also SKILL.md's install metadata lists bins ["node","npm"], which is atypical but not harmful.
SKILL.md explicitly instructs the agent to read/write files under ~/clawd/habit-flow-data/ and to load persona files from the skill's references/personas/ directory. That file access is coherent with persona loading and local storage. The skill also documents creating/syncing cron jobs (opt-in per changelog) to deliver WhatsApp reminders; this requires gateway-level WhatsApp configuration but the skill itself does not embed external endpoints. The skill no longer auto-creates cron jobs (changelog) and includes validation to prevent persona path traversal. Overall the runtime instructions are scoped to the skill's purpose, though you should review scripts that modify cron jobs (scripts/sync_reminders.ts, scripts/run_reminder.ts) before enabling them.
There is no remote download-from-arbitrary-URL; installation is documented as cloning the GitHub repo and running npm install. Dependencies indicated (chrono-node, string-similarity, commander, tsx, @napi-rs/canvas) match the implemented features (NLP, CLI, canvas rendering). Using native canvas (@napi-rs/canvas) requires native build tooling but is proportionate to the canvas dashboard feature. The repository contains an INSTALL.md and package.json, so treat this as a code-backed skill (not instruction-only) despite registry metadata saying otherwise.
The skill declares no required environment variables or external credentials. That aligns with the code: data is stored locally under ~/clawd/habit-flow-data/ and reminders are routed through the gateway's clawdbot cron/WhatsApp channels (which are configured outside the skill). There are no declared requests for unrelated secrets. Note: WhatsApp delivery depends on gateway-level configuration; ensure your gateway's channel credentials are correctly managed separately.
always:false and user-invocable:true. The skill reads and writes only to its own data directory (~/clawd/habit-flow-data/) and the skill directory. Cron job creation is opt-in (user must run sync_reminders.ts). It does not request permanent platform-wide privileges or modify other skills' configs. No 'always' or autonomous escalation flags were observed.
Guidance
What to consider before installing Habit Flow - Confirm install method: the registry metadata claimed "instruction-only" but the package contains code and an INSTALL.md. Install by cloning the repo into your gateway workspace (~/clawd/skills or ~/.clawdbot/skills) and run npm install as documented — do not treat it as a metadata-only skill. - Review scripts that interact with the system before enabling them: specifically scripts/sync_reminders.ts, scripts/run_reminder.ts, and any example shell helpers in examples/*.sh. Reminders create cron entries via the gateway; the skill moved to opt-in cron creation, but you should inspect what cron jobs will be created and confirm they call only the intended wrappers. - Data is stored locally at ~/clawd/habit-flow-data/. Back up or inspect that directory if you want to preserve or audit your habit data. The skill will read/write config.json in that directory and update activePersona when switching personas. - Dependencies: npm install will fetch public npm packages (including @napi-rs/canvas which requires native build tooling). If you want to avoid native builds, do not enable canvas/dashboard features. - Gateway/WhatsApp configuration: WhatsApp reminders rely on your gateway's configured channel; the skill does not itself hold WhatsApp credentials. Ensure your gateway's channel config is secure and understood. - Small metadata oddities (SKILL.md install metadata listing node/npm as bins, and registry claiming no install spec) look like packaging/metadata mistakes rather than malicious behavior. If you need higher assurance: (1) run the skill in a sandboxed workspace, (2) inspect package.json and scripts for any network calls or unexpected subprocess invocations, and (3) grep for use of eval/spawning shell with unsanitized input (changelog indicates the author fixed earlier issues).
Latest Release
v1.5.4
**Improved persona validation and selection for more robust user experience.** - Validates persona IDs when loading, switching, or displaying personas; falls back to "flex" if invalid. - Informs users if an invalid persona is requested, and shows the list of available personas. - Updated SKILL.md documentation to reflect enhanced persona validation logic. - Bumped version to 1.5.4.
Popular Skills
Published by @tralves on ClawHub
