Security Audit

habitica

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

habitica received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 7 findings: 3 critical, 0 high, 4 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Sensitive environment variable access: $HOME, Persistence mechanism: Shell RC file modification.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

40%

Static Code Analysis

79%

Dependency Graph

100%

LLM Behavioral Safety

63%

Behavioral Risk Signals

Filesystem Write

5 findings

Shell Execution

6 findings

Dynamic Code

2 findings

Excessive Permissions

1 finding

Security Findings7

Severity	Finding	Layer	Location
CRITICAL	Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/tonyunturn/habitica-skill/scripts/habitica.sh:56
CRITICAL	Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/tonyunturn/habitica-skill/scripts/habitica.sh:60
CRITICAL	Arbitrary code execution via sourcing configuration file The `load_creds` function uses `source "$CONFIG_FILE"` to load credentials. The `CONFIG_FILE` variable defaults to `$HOME/.habitica` but can be overridden by the `HABITICA_CONFIG` environment variable. If an attacker can control the `HABITICA_CONFIG` environment variable or write malicious content to `$HOME/.habitica`, they can inject and execute arbitrary shell commands, leading to a full compromise of the execution environment. Replace `source "$CONFIG_FILE"` with a safer method for parsing key-value pairs, such as `grep -E '^(HABITICA_USER_ID\|HABITICA_API_TOKEN)=' "$CONFIG_FILE" \| while IFS='=' read -r key value; do export "$key"="$value"; done`. Alternatively, strictly enforce that `HABITICA_CONFIG` must point to a trusted, read-only path and ensure `$HOME/.habitica` is only writable by the user and contains only variable assignments.	LLM	scripts/habitica.sh:11
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/tonyunturn/habitica-skill/scripts/habitica.sh:8
MEDIUM	Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/tonyunturn/habitica-skill/scripts/habitica.sh:56
MEDIUM	Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/tonyunturn/habitica-skill/scripts/habitica.sh:60
MEDIUM	User-controlled content from API output can lead to prompt injection Several `format_...` functions (e.g., `format_tasks`, `format_user`, `format_party`) display user-controlled text retrieved directly from the Habitica API (such as task text, notes, user names, and chat messages). If an attacker can manipulate these fields within Habitica, they could embed malicious instructions or data that, when presented back to the LLM, could be interpreted as new instructions, leading to a prompt injection attack. When displaying user-controlled text from the API, wrap it in clear, unambiguous delimiters (e.g., `<user_content>...</user_content>`) or apply context-aware sanitization to neutralize potential LLM instructions before presenting the output to the host LLM.	LLM	scripts/habitica.sh:40

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/3b03a5b68ca2ebe2.svg)](https://skillshield.io/report/3b03a5b68ca2ebe2)