Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Timedoctor
v0.1.0Integrates with TimeDoctor API to pull employee time tracking data, worklogs, statistics, and productivity metrics using simple Python scripts
⭐ 1· 66·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included Python CLI (timedoctor.py) which calls TimeDoctor's API endpoints. Required binary python3 and dependency httpx are appropriate for the stated purpose.
Instruction Scope
SKILL.md explicitly instructs the agent to prompt users for TimeDoctor email and password and to run the local CLI to obtain a JWT, then instructs users to export the TIMEDOCTOR_TOKEN. Asking for credentials is within the task of obtaining an auth token but expands the trust surface (agents collecting plaintext passwords). The instructions also check/set environment variables and run local commands — there is no instruction to read unrelated files or exfiltrate data, but the guidance is broad about prompting for credentials and manipulating env vars.
Install Mechanism
No external downloads or executables are fetched; dependency is httpx via pip (requirements.txt included). However the registry metadata says 'No install spec' while SKILL.md/YAML frontmatter declares pip: ['httpx>=0.27.0'] — minor inconsistency in install metadata but the actual install mechanism (pip) is reasonable and low-risk.
Credentials
The skill uses TIMEDOCTOR_TOKEN and optionally TIMEDOCTOR_COMPANY_ID at runtime, but the registry metadata lists no required env vars and primary credential none. That mismatch (runtime env usage vs registry declarations) is inconsistent and may confuse permission/credential handling. The skill also instructs collecting email/password to call the login API — this is expected for obtaining a token but is sensitive and should be highlighted to users.
Persistence & Privilege
No 'always: true' or elevated privileges requested. The skill is user-invocable and the code does not attempt to modify other skills or system-wide configs. It suggests adding exports to shell profiles but that is a user action, not automatic persistence by the skill.
What to consider before installing
This skill appears to be a straightforward TimeDoctor API client, but check these points before installing or using it:
- Credential handling: The agent will prompt for your TimeDoctor email/password to run the login flow and obtain a JWT. Consider creating the token yourself (via curl or the TimeDoctor UI/API) and setting TIMEDOCTOR_TOKEN instead of handing your password to the agent.
- Env var mismatch: SKILL.md expects TIMEDOCTOR_TOKEN and optionally TIMEDOCTOR_COMPANY_ID, but the registry metadata doesn't declare required env vars — make sure you store tokens securely and do not add them to shared shell profiles on multi-user systems.
- Installation: The code requires Python and httpx (pip). Install dependencies in an isolated virtualenv rather than system Python to reduce risk.
- Review code & origin: The repository/author looks like an individual project. If you will use this for production or sensitive data, review the timedoctor.py source yourself (it appears to call only api2.timedoctor.com) and verify there are no unexpected network endpoints or logging of sensitive data.
If you cannot review the code or avoid entering your password, prefer manual token provisioning and limit token lifetime / scope where possible.Like a lobster shell, security has layers — review code before you run it.
latestvk97bft1d5vdn1xvs3fkcwz18b583bkjk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⏱️ Clawdis
Binspython3