Scoro
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Scoro integration, but it can update billable time records and includes broad bulk-correction wording without visible confirmation safeguards.
Install only if you are comfortable letting the agent access your Scoro company account. For read-only reporting, prefer a limited key if Scoro supports it. Before allowing billable-status fixes or time-entry modifications, ask the agent to list the exact records it will change and require explicit confirmation.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An ambiguous request or agent mistake could change billable time records that may affect reporting, client billing, or payroll review.
The skill explicitly supports account mutations to time entries and a broad bulk billable-status change, but the provided visible instructions do not show mandatory confirmation, preview, rollback, or date/user scoping before those changes.
`timeEntries/modify/ID` | Update a time entry (e.g. fix billable status) ... `adjust all logs on task X to be billable`
Require explicit confirmation before every modify call, show the exact entry IDs and current/new billable values, narrow bulk actions by user/date/task, and record enough information to reverse changes.
The agent may be able to read company Scoro data such as tasks, time entries, users, projects, and contacts, and perform permitted updates.
The skill requires a Scoro company API key, which is expected for the integration but gives the agent delegated access to whatever Scoro data and actions that key permits.
`SCORO_API_KEY` — company API key (starts with `ScoroAPI_`)
Use the least-privileged Scoro API key available, verify the company URL is the real Scoro domain, store the key securely, and rotate it if no longer needed.