Scoro
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An ambiguous request or agent mistake could change billable time records that may affect reporting, client billing, or payroll review.
The skill explicitly supports account mutations to time entries and a broad bulk billable-status change, but the provided visible instructions do not show mandatory confirmation, preview, rollback, or date/user scoping before those changes.
`timeEntries/modify/ID` | Update a time entry (e.g. fix billable status) ... `adjust all logs on task X to be billable`
Require explicit confirmation before every modify call, show the exact entry IDs and current/new billable values, narrow bulk actions by user/date/task, and record enough information to reverse changes.
The agent may be able to read company Scoro data such as tasks, time entries, users, projects, and contacts, and perform permitted updates.
The skill requires a Scoro company API key, which is expected for the integration but gives the agent delegated access to whatever Scoro data and actions that key permits.
`SCORO_API_KEY` — company API key (starts with `ScoroAPI_`)
Use the least-privileged Scoro API key available, verify the company URL is the real Scoro domain, store the key securely, and rotate it if no longer needed.