Timetonic
v1.0.0TimeTonic integration. Manage data, records, and automate workflows. Use when the user wants to interact with TimeTonic data.
⭐ 0· 33·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (TimeTonic integration) align with the instructions: all runtime actions are CLI calls to the Membrane connector for TimeTonic. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md confines the agent to installing/using the Membrane CLI, creating connections, listing actions, running actions, and proxying API calls via Membrane. It does not instruct reading arbitrary files, exporting unrelated environment variables, or exfiltrating data to unexpected endpoints. It does require interactive/browser-based authentication (or headless copy/paste flow), which is appropriate for third-party OAuth-like flows.
Install Mechanism
The skill is instruction-only (no install spec) and instructs the user to run `npm install -g @membranehq/cli` or use `npx ...@latest`. This is expected for a CLI-driven skill, but installing global npm packages or running `npx @latest` executes code from the npm registry — users should verify the official package and intended version before installing.
Credentials
No environment variables, secrets, or config paths are requested by the skill. SKILL.md explicitly advises not to ask users for API keys and to rely on Membrane's connection flow, which is proportionate to the skill's stated purpose. Note: trusting Membrane as a third-party service is required because it manages credentials server-side.
Persistence & Privilege
The skill does not request always:true and has no install-time modifications or system-wide configuration. It is user-invocable and can be invoked autonomously (platform default), which is expected for an integration skill and is not combined with other concerning privileges.
Scan Findings in Context
[no_regex_findings] expected: The static scanner had no code files to analyze (instruction-only SKILL.md). This is expected; absence of findings does not guarantee safety but is consistent with an instructions-only skill.
Assessment
This skill is internally consistent: it delegates auth and API work to the Membrane CLI and does not ask for unrelated secrets. Before installing/using it, consider: (1) You must trust the third party (Membrane) because they will store/manage your TimeTonic credentials and proxy requests. Review their privacy/security docs if needed. (2) Installing the CLI uses npm (global install or npx); verify the package name and preferred version rather than blindly running `npx ...@latest` in unattended environments. (3) The login flow opens a browser or provides a URL/code for headless environments — be cautious when pasting codes in shared terminals. If you’re uncomfortable trusting Membrane to hold credentials, do not use this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97b5a4hx71g1b3vq6d6ysmgms8475wq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.