ClawHub
Back to skill
v1.0.1

Timesheet - Time Tracking

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:51 AM.

Analysis

This instruction-only skill matches its stated time-tracking purpose, but it can use the Timesheet CLI to authenticate and make real changes to projects, tasks, timers, and tags.

GuidanceThis skill appears coherent and purpose-aligned. Before installing, make sure the official `timesheet` CLI is installed, understand that it can create/update/delete Timesheet account data, and require confirmation for destructive or account-changing commands.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
timesheet projects update <id> --title "New Name"
timesheet projects delete <id>
...
timesheet tasks update <id> --description "Updated description"
timesheet tasks delete <id>

The skill documents CLI commands that can modify or delete Timesheet account records. This is expected for project/task management, but incorrect use could change or remove business time-tracking data.

User impactUsing the wrong IDs or accepting an unintended action could alter or delete projects, tasks, tags, or timer entries in the user's Timesheet account.
RecommendationConfirm the target project/task/tag IDs and ask for explicit user confirmation before update or delete operations.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
metadata: {"requires": {"bins": ["timesheet"]}}

The skill depends on an external `timesheet` binary and includes no bundled code or install spec. The behavior therefore depends on the separately installed CLI.

User impactIf a different or untrusted `timesheet` binary is installed on the system, the skill would invoke that binary.
RecommendationInstall the Timesheet CLI from the official source and verify the command on the PATH before using the skill.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
If not authenticated, guide the user to run:
```bash
timesheet auth login
```

Or for automation, set an API key:
```bash
export TIMESHEET_API_KEY=ts_your.apikey
```

The skill uses the user's authenticated Timesheet account or API key. That is appropriate for the integration, but actions will run with whatever permissions those credentials have.

User impactThe agent can perform supported Timesheet CLI actions under the user's account permissions once authentication is available.
RecommendationUse only the official Timesheet CLI, avoid exposing API keys in chats or logs, and prefer the least-privileged credential available.