ClawHub

Toggl

v1.0.0

Track time with Toggl via the toggl CLI. Use when the user wants to start/stop time tracking, check current timer, view today's or weekly reports, list recent entries, or manage time entries. Triggers on "toggl", "time tracking", "timer", "track time", "what am I working on", "log time", "timesheet".

1· 2k·3 current·3 all-time
by@clvrobj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the SKILL.md: it directs the agent to use the @beauraines/toggl-cli to start/stop timers, list entries, and view reports. Nothing in the instructions asks for capabilities unrelated to Toggl time tracking.
Instruction Scope
The SKILL.md stays within the Toggl use-case, but it instructs creating a config file (~/.toggl-cli.json) containing the Toggl API token (or using environment variables) and suggests running npm install -g. These are expected for a CLI integration but do require the agent/user to store the API token locally or in env vars.
Install Mechanism
There is no install spec in the registry metadata (instruction-only skill). The SKILL.md instructs the user/agent to run `npm install -g @beauraines/toggl-cli`, which pulls code from the public npm registry (moderate risk compared with instruction-only). This is expected for installing a CLI but the package source and maintainer should be verified before global install.
Credentials
Metadata declares no required environment variables, but the SKILL.md states the integration needs a Toggl API token and that environment variables (TOGGL_API_TOKEN, TOGGL_DEFAULT_WORKSPACE_ID, TOGGL_TIMEZONE) can override config. The requested secrets (Toggl API token) are appropriate for the stated purpose; the metadata should declare them to avoid mismatch.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always:false). It only uses its own config path (~/.toggl-cli.json), which is appropriate for storing the Toggl token.
Assessment
This skill is coherent for Toggl CLI integration, but review these points before installing: 1) The SKILL.md requires your Toggl API token (stored in ~/.toggl-cli.json or via TOGGL_API_TOKEN) even though the registry metadata lists no env vars—don't install or provide secrets unless you trust the package and maintainer. 2) The instructions ask you to run `npm install -g @beauraines/toggl-cli` (global npm install). Verify the package on npm and its source repository, and prefer installing locally or inspecting the package before global install. 3) Protect your API token: set file permissions (chmod 600) as suggested, and avoid pasting the token into untrusted UIs. 4) If you want the agent to act autonomously, ensure it has only the minimal token scope you are comfortable granting. If you want help verifying the npm package or reviewing alternatives, ask for additional checks.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bs2fbzyfyd8qr729sssts4s808nv2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments