Time Analyzer
Security checks across malware telemetry and agentic risk
Overview
The skill appears purpose-aligned and local-only, but it stores personal activity history and includes optional npm and cron setup steps users should review.
This looks safe for its stated purpose if you are comfortable keeping local activity logs. Before installing, verify the npm package/source, avoid sensitive activity descriptions, know where ~/.time-analyzer data is stored, and use the cron example only if you intentionally want recurring daily reports.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the npm package name or source is not verified, a user could run code that differs from the reviewed local artifacts.
The documentation tells users to install or run a named npm package. That is coherent for a CLI tool, but it means users should verify they are getting the intended package and version.
npm install -g time-analyzer # Or use npx npx time-analyzer
Install only from a trusted source, confirm the package name/version/repository, and prefer reviewed or pinned package sources where possible.
Anyone with access to the user's account or home directory may be able to read activity logs, work patterns, sleep records, or other personal time data.
The skill persistently records activity history and session state for later analysis. This is expected for time tracking, but the stored descriptions and patterns may be sensitive.
Data is stored in the `.time-analyzer/` folder in the user's home directory: - `records.json`: All activity records - `config.json`: Configuration and current session state
Avoid putting highly sensitive details in activity descriptions, periodically review or delete ~/.time-analyzer data if needed, and use it only on devices/accounts you trust.
The report command may keep running daily after setup, and an incorrectly applied crontab command could remove other scheduled jobs.
The optional cron example creates scheduled recurring execution for reports. It is disclosed and purpose-aligned, but it persists until removed and the shown command form can replace the user's existing crontab if copied directly.
echo "0 22 * * * /usr/local/bin/time-analyzer report" | crontab -
Use `crontab -e` or carefully append to the existing crontab instead of blindly piping a single line, and remove the cron entry when daily reports are no longer wanted.