Scoro
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: scoro Version: 1.0.0 The Scoro skill bundle is a legitimate integration for the Scoro API v2, providing comprehensive instructions for task management, time tracking, and reporting. It correctly identifies the need for sensitive environment variables (SCORO_API_KEY) and includes safety reminders for the agent to seek user confirmation before modifying or deleting data. No evidence of data exfiltration, malicious execution, or prompt injection was found in SKILL.md or _meta.json.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An ambiguous request or agent mistake could change billable time records that may affect reporting, client billing, or payroll review.
The skill explicitly supports account mutations to time entries and a broad bulk billable-status change, but the provided visible instructions do not show mandatory confirmation, preview, rollback, or date/user scoping before those changes.
`timeEntries/modify/ID` | Update a time entry (e.g. fix billable status) ... `adjust all logs on task X to be billable`
Require explicit confirmation before every modify call, show the exact entry IDs and current/new billable values, narrow bulk actions by user/date/task, and record enough information to reverse changes.
The agent may be able to read company Scoro data such as tasks, time entries, users, projects, and contacts, and perform permitted updates.
The skill requires a Scoro company API key, which is expected for the integration but gives the agent delegated access to whatever Scoro data and actions that key permits.
`SCORO_API_KEY` — company API key (starts with `ScoroAPI_`)
Use the least-privileged Scoro API key available, verify the company URL is the real Scoro domain, store the key securely, and rotate it if no longer needed.