ClawHub

WakaTime

v0.0.1

Query WakaTime coding statistics including time ranges, projects, languages, categories, editors, and machines. Use when the user asks about WakaTime, coding...

0· 39·0 current·0 all-time
by@chensoul
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (WakaTime query) match the declared requirement (WAKATIME_API_KEY) and the included Python CLI which calls the WakaTime hosted API. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md commands and examples map directly to the functions implemented in scripts/wakatime_query.py. The instructions only read the WAKATIME_API_KEY env var and call the WakaTime API; they do not instruct the agent to read arbitrary system files or transmit data to other endpoints.
Install Mechanism
No install spec; this is instruction + included stdlib Python script. No external downloads or package installs are performed by the skill, and the code uses only the Python standard library.
Credentials
Only one credential is required (WAKATIME_API_KEY) and it is the primary credential for the stated purpose. No unrelated secrets or multiple credentials are requested.
Persistence & Privilege
always is false, the skill is user-invocable and not force-included. It does not request or modify other skills or system-wide configs.
Assessment
This skill appears coherent and read-only: it only needs your WakaTime API key and calls the official https://wakatime.com API. Before installing, consider: 1) only provide a WAKATIME_API_KEY if you trust the skill — treat API keys like passwords; 2) run the included script locally (python3 scripts/wakatime_query.py health) to verify behavior in your environment; 3) if API calls fail, note the script constructs HTTP Basic auth by base64-encoding the API key (the server commonly expects the API key as the username with an empty password — some servers expect a trailing colon before encoding). 4) Be aware debug mode prints request URLs to stderr (it does not print the Authorization header), but avoid enabling debug in untrusted contexts. If you want higher assurance, review the full script before use; no other secrets or unusual network endpoints are present.

Like a lobster shell, security has layers — review code before you run it.

latestvk978tzkwy2mhq7qecfkxvj5xcn83wkjb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvWAKATIME_API_KEY
Primary envWAKATIME_API_KEY

Comments