Kimai Time Tracking
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Kimai API helper, but it is powerful because it can use your Kimai token to change or delete time-tracking and administrative data.
Install only if you want an agent to operate your Kimai instance. Provide a least-privilege Kimai token, review the full script if available, and require explicit approval for deletes, exports that lock entries, user/team changes, or other administrative actions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If given a broad or admin Kimai token, the agent could perform sensitive account and business-data operations within Kimai.
The skill requires a Kimai bearer token and documents permissions that may allow reading, editing, deleting, and administering business time-tracking data.
`KIMAI_API_TOKEN` - Bearer token for authentication ... `delete_customer` ... `delete_project` ... `delete_team` ... `view_user`
Use a least-privilege Kimai token limited to the operations you want the agent to perform, and avoid admin/delete permissions unless needed.
A mistaken ID or overly broad instruction could delete or alter Kimai records, including cascading customer/project/activity/timesheet data.
The CLI exposes destructive Kimai API actions. It has an interactive confirmation by default, but the presence of a force path means destructive calls should be explicitly controlled.
if not args.force and not confirm_deletion('customer', args.id, cascade): ... client.delete(f'customers/{args.id}')Require explicit user confirmation for destructive or administrative actions, verify IDs before running them, and do not use force/no-confirm behavior unless the user specifically asked for it.
Users may not see the token requirement or provenance from registry metadata alone.
The registry metadata does not provide provenance and does not declare the credential/environment requirements that the SKILL.md and script use.
Source: unknown; Homepage: none ... Required env vars: none ... Primary credential: none
Review the included script before use, verify it came from a trusted source, and treat the Kimai token as sensitive.