Timesheet - Time Tracking
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill matches its stated time-tracking purpose, but it can use the Timesheet CLI to authenticate and make real changes to projects, tasks, timers, and tags.
This skill appears coherent and purpose-aligned. Before installing, make sure the official `timesheet` CLI is installed, understand that it can create/update/delete Timesheet account data, and require confirmation for destructive or account-changing commands.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the wrong IDs or accepting an unintended action could alter or delete projects, tasks, tags, or timer entries in the user's Timesheet account.
The skill documents CLI commands that can modify or delete Timesheet account records. This is expected for project/task management, but incorrect use could change or remove business time-tracking data.
timesheet projects update <id> --title "New Name" timesheet projects delete <id> ... timesheet tasks update <id> --description "Updated description" timesheet tasks delete <id>
Confirm the target project/task/tag IDs and ask for explicit user confirmation before update or delete operations.
The agent can perform supported Timesheet CLI actions under the user's account permissions once authentication is available.
The skill uses the user's authenticated Timesheet account or API key. That is appropriate for the integration, but actions will run with whatever permissions those credentials have.
If not authenticated, guide the user to run: ```bash timesheet auth login ``` Or for automation, set an API key: ```bash export TIMESHEET_API_KEY=ts_your.apikey ```
Use only the official Timesheet CLI, avoid exposing API keys in chats or logs, and prefer the least-privileged credential available.
If a different or untrusted `timesheet` binary is installed on the system, the skill would invoke that binary.
The skill depends on an external `timesheet` binary and includes no bundled code or install spec. The behavior therefore depends on the separately installed CLI.
metadata: {"requires": {"bins": ["timesheet"]}}Install the Timesheet CLI from the official source and verify the command on the PATH before using the skill.