Toggl-Optimized-V2
Security checks across malware telemetry and agentic risk
Overview
The skill appears purpose-aligned for Toggl reporting, with the main thing to notice being that it asks for a Toggl API token even though the registry metadata does not declare credentials.
This looks reasonable if you intend to use Toggl reporting. Before installing, note that it relies on your Toggl API token and the included report script appears incomplete, so review any future script changes before running them.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may expose a Toggl API token to the agent environment so reports can be generated.
The skill asks the user to provide a Toggl Track API token. That credential is expected for Toggl reporting, but it grants access to Toggl account data and is not declared in the registry metadata.
export TOGGL_API_TOKEN="your-api-token"
Use the token only in a trusted environment, avoid logging or sharing environment values, and revoke or regenerate the token if it may have been exposed.