Toggl CLI – Time tracking for you and your agent
ReviewAudited by ClawScan on May 10, 2026.
Overview
The Toggl purpose is clear, but it asks you to install unreviewed external Node/GitHub code and give it a Toggl API token that can change or delete workspace data.
Before installing, review the external GitHub project and its dependencies, consider pinning a trusted version, and only provide a Toggl API token if you are comfortable letting this CLI manage and potentially delete Toggl workspace data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You would be trusting code outside the reviewed skill package to access and modify your Toggl account.
The skill directs installation and execution of external Node/GitHub code, but the submitted artifact contains no reviewed code files or install spec. This matters more because the CLI will be used with a Toggl API token and account-mutation commands.
git clone https://github.com/FroeMic/toggl-cli cd toggl-cli npm install npm run build npm link
Inspect the GitHub repository and dependencies, pin a trusted commit or release if possible, and install only if you are comfortable giving that CLI access to your Toggl token.
Anyone or any tool with access to that environment variable may be able to use your Toggl API permissions.
The skill requires a Toggl API token and recommends making it available to the agent environment. This is expected for Toggl access, but it is sensitive account authority.
Set `TOGGL_API_TOKEN` environment variable ... Recommended: Add to `~/.claude/.env` for Claude Code
Store the token securely, avoid sharing logs or environment files, and rotate/revoke the token if the CLI or environment is exposed.
A mistaken command could alter or delete Toggl workspace records.
The documented CLI supports destructive and mutating operations across Toggl time entries, projects, clients, tags, tasks, and groups. These are aligned with the stated management purpose but can affect real workspace data.
toggl te delete <id> ... toggl proj delete <id> ... toggl client delete <id> ... toggl group delete <id>
Use list/get commands to verify IDs first and require explicit confirmation before running create, update, archive, restore, or delete operations.