ClawHub

Trackingtime

v1.0.2

TrackingTime integration. Manage data, records, and automate workflows. Use when the user wants to interact with TrackingTime data.

0· 55·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name and description match the instructions: all actions are performed via Membrane against TrackingTime. Requiring Membrane/its CLI and a Membrane account is coherent with the stated purpose.
Instruction Scope
SKILL.md directs the agent/user to install and use the Membrane CLI, to run membrane commands (connect, action list/run, request). These are within the stated TrackingTime integration scope. The file does not instruct reading unrelated files or environment variables. One minor mismatch: registry metadata lists no required binaries, but the instructions require npm (or npx) and the membrane CLI — the skill assumes the environment can run those commands.
Install Mechanism
There is no formal install spec in the registry; instead the README instructs the user to run `npm install -g @membranehq/cli` or use npx. Installing a third-party CLI from npm is a common pattern but carries the usual supply-chain risk (npm package execution). This is expected for a CLI-based integration but worth reviewing before installation.
Credentials
The skill declares no environment variables or secrets and explicitly advises not to ask users for API keys. Authentication is delegated to Membrane's browser-based flow; that is proportionate for a proxy integration.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or attempt to modify other skills. Autonomous invocation is allowed (platform default) but is not combined with other red flags.
Assessment
This skill is a thin integration that uses the Membrane CLI to talk to TrackingTime. Before installing: (1) confirm you trust the @membranehq/cli npm package and review its code or npm page if you’re concerned about supply-chain risk; (2) understand that you will authenticate via Membrane (a browser OAuth flow) and that Membrane will proxy API requests to TrackingTime — so you are giving Membrane access to the TrackingTime data you authorize; (3) if you prefer not to install a global npm package, use npx as the README suggests; (4) verify that your environment can run npm/npx and that installing a global binary is acceptable for your security posture. If any of these are unacceptable, do not install the CLI or the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk979cyq0qy6xq86ha4mqdt92ah842m3p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments