Rescuetime
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward RescueTime integration, but it requires Membrane/RescueTime authentication and can run API actions, so users should review permissions before use.
Before installing, be comfortable using Membrane as the authentication and API gateway for RescueTime. Verify the CLI package, connect only the intended RescueTime account, and require explicit approval before the agent changes or deletes RescueTime data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is allowed to run mutating requests, it could change RescueTime account data such as goals, categories, activities, or related records.
The skill documents a broad authenticated API proxy, including methods that can modify or delete RescueTime data. This is disclosed and related to the integration, but it should be used carefully.
When the available actions don't cover your use case, you can send requests directly to the RescueTime API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE).
Prefer listed Membrane actions when possible, and ask the user to confirm any POST, PUT, PATCH, or DELETE request before running it.
The skill can act through the user's connected RescueTime account once authentication is completed.
The integration relies on Membrane-managed credentials for RescueTime access. This is expected for the service connection, but it grants delegated account authority.
Membrane handles authentication and credentials refresh automatically
Connect only the intended RescueTime account and review the permissions shown during Membrane/RescueTime authentication.
Installing a global CLI gives that package local execution capability on the user's machine.
The skill asks the user to install a global CLI package using the latest tag. This is user-directed and central to the skill, but it depends on npm package provenance and the current latest version.
npm install -g @membranehq/cli@latest
Install from the official package source, consider pinning a known version, and avoid running the CLI with elevated system privileges unless necessary.
RescueTime API interactions are mediated by Membrane rather than going directly from the agent to RescueTime.
Membrane acts as the gateway for authenticated RescueTime API calls. This is disclosed and purpose-aligned, but it means requests and authentication handling pass through that provider.
Membrane automatically appends the base URL to the path you provide and injects the correct authentication headers
Use a trusted Membrane account and avoid sending unnecessary sensitive data in proxy request bodies or headers.