ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pingcode Timelogger

v1.0.0

Automate PingCode timesheet filling — create sub-tasks and log work hours. Use when asked to fill PingCode timesheets, log work hours, create work items, or...

0· 45·0 current·0 all-time
by@huuuwnnn-droid
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (PingCode timesheet automation) match the instructions: creating sub-tasks, setting properties, and logging hours against PingCode via its API or browser automation. Git integration and token use are consistent with the 'auto-fill from commits' feature. No unrelated credentials, binaries, or services are requested.
Instruction Scope
SKILL.md explicitly instructs the agent to read a skill-local config (~/.openclaw/skills/pingcode-timelogger/config.yaml), a user-exported PingCode cookie file, and an optional git-token file; to call PingCode API endpoints; and to fall back to browser automation if API auth fails. These actions are within scope for the described task but involve accessing sensitive local credentials (cookies, tokens) and optionally driving a browser UI — the user should understand those sensitivities. The skill follows a principle of confirming actions with the user before making changes.
Install Mechanism
Instruction-only skill with no install spec or external downloads. This is the lowest-risk install pattern and consistent with the provided content.
Credentials
No environment variables are requested, but the skill requires local files containing sensitive credentials: a PingCode cookie file and optionally a Git token file. Those requirements are proportionate to the functionality (PingCode requires cookie-based auth per the doc), but they are high-sensitivity artifacts — the user must supply them deliberately and store them securely.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform privileges. It reads and may write its own config in its skill directory (not other skills' configs). The browser automation fallback implies interacting with the user's browser session, which is expected for this fallback but increases the trust surface.
Assessment
This skill will act on your PingCode instance and needs you to provide a session cookie file (and optionally a Git token file) saved under the skill's config directory. Those files are sensitive — anyone with them can act as you on PingCode/Git. Before installing or using the skill: (1) inspect SKILL.md to confirm endpoints are the PingCode instance you expect; (2) provide least-privilege credentials (consider a dedicated PingCode account/session), and store token/cookie files in a secure location; (3) confirm the skill's confirmation step is honored before it creates or modifies work items; (4) be cautious with the browser-fallback — it will interact with your logged-in browser session; (5) after testing, consider invalidating the session/cookie or revoking tokens if you used a high-privilege account.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d7f4e83tycw7j0pd44a0aw184e36v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments