JobTread Agent
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent JobTread API skill, but it gives an agent broad authority to change business records and manage webhooks using a grant key without clear approval or scoping safeguards.
Install only if you want your agent to operate JobTread through the API. Use a dedicated, least-privilege grant key if possible, protect the local key file, and require explicit confirmation before the agent creates, updates, deletes, suppresses notifications, or changes webhooks.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could create or change important JobTread business data if given a valid grant key.
The skill intentionally enables broad mutation and management of business records and webhooks, but the provided instructions do not define approval gates, record scope, dry-run behavior, or rollback guidance.
With the right grant key, you can create and manage accounts (customers/vendors), jobs, documents, tasks, locations, custom fields, documents, and even subscribe to webhooks for live updates.
Use a least-privilege automation grant if JobTread supports it, require explicit user confirmation before create/update/delete operations, and test queries against non-production records first.
Anyone or any agent process with access to the grant key may be able to act through the JobTread API.
The grant key is expected for the JobTread API purpose, but it is still a credential that delegates access to a JobTread account or organization.
Create a new grant for automation. Copy the one-time `grantKey` ... Store the key locally ... `~/.config/jobtread/grant_key`
Store the key with restrictive permissions, avoid sharing it, rotate it regularly, and revoke it immediately if it may have been exposed.
Changes made through the API might not notify affected users if notification suppression is used.
Notification suppression and user-scoping options may be legitimate API features, but they affect how visible or attributed API actions are.
You can also set `notify`, `timeZone`, or `viaUserId` inside `$` when you need to suppress notifications or scope results.
Only suppress notifications when the user explicitly asks for it and understands the effect.
The automation access may remain usable for a long time if the user keeps the grant active.
The instruction is user-directed and not hidden, but it encourages maintaining ongoing credential validity.
JobTread expires keys after 3 months of inactivity, so schedule a reminder (cron/heartbeat) to rotate or re-use the grant before expiration.
Set a calendar reminder for review and rotation rather than unattended automated reuse, and revoke unused grants.
Incorrect webhook creation or deletion could disrupt live integrations or send JobTread event data to the wrong endpoint.
Webhook management is purpose-aligned and disclosed, but webhooks are persistent integrations that can propagate events to external systems.
Manage them via the API: list `webhook(id: "ID")` or `deleteWebhook` to cancel.
Verify endpoint URLs, keep a record of webhook IDs, and confirm before deleting or changing webhooks.