Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Toggl-Optimized-V2
v1.0.0Optimize Toggl Track usage with token-efficient API calls and fast reporting via a shell script for JSON and PDF summaries.
⭐ 0· 275·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (Toggl reporting) legitimately requires a Toggl API token and possibly a workspace ID, and the SKILL.md instructs the user to set TOGGL_API_TOKEN and TOGGL_WORKSPACE_ID. However, the registry metadata lists no required environment variables or primary credential — that's an inconsistency that could confuse permission reviews or automated policy checks.
Instruction Scope
SKILL.md promises direct curl examples and a reporting script that produces JSON/PDF reports. The provided scripts/toggl_report.sh is tiny and incomplete (just reads env vars and parameters; network calls and PDF generation are not present). That mismatch means the runtime behavior is unclear and the agent instructions are incomplete or out-of-date.
Install Mechanism
There is no install spec (instruction-only skill plus two small files). That is low-risk from an install/execution perspective — nothing is being downloaded or written by an automated installer.
Credentials
The SKILL.md explicitly asks for TOGGL_API_TOKEN (and optionally WORKSPACE_ID), and the script reads those env vars, but the skill metadata declares no required env or primary credential. Requesting an API token for Toggl itself is proportionate to the task, but the missing declaration is an ownership/visibility problem and may hide that the skill needs secrets.
Persistence & Privilege
The skill is not marked always:true and does not request system config paths or modify other skills. Autonomous invocation is allowed (platform default) but there are no elevated persistence privileges requested.
What to consider before installing
This skill looks like it intends to use your Toggl API token, but the registry metadata failed to declare that requirement and the included shell script is incomplete. Before installing: (1) do not provide your TOGGL_API_TOKEN to an unknown publisher without review; (2) ask the publisher for a complete script or an explanation of how PDF/JSON reports are generated and where network calls occur; (3) inspect or run the script in a safe sandbox to confirm it only calls Toggl endpoints and doesn't exfiltrate data elsewhere; (4) prefer skills that declare required env vars/credentials in metadata so automated checks can apply. If you can't verify the code or trust the author, avoid installing or limit the token's scope (rotate it after testing).Like a lobster shell, security has layers — review code before you run it.
latestvk9703qqh76be3kyt3mwz9eb5td825fhnreportingvk9703qqh76be3kyt3mwz9eb5td825fhn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.