Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
TimeCamp
v1.1.1Use when the user asks about time tracking, time entries, tasks, timers, or anything related to TimeCamp. Triggers on keywords like "timecamp", "time entries...
⭐ 0· 689·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's declared purpose (TimeCamp time tracking, entries, timers, analytics) aligns with the instructions. However, the SKILL.md expects cloning and running two GitHub repositories and invoking tools (git, npm, Python pipeline, DuckDB) while the skill metadata lists no required binaries or install steps. The missing declaration of git/npm/python/duckdb/uv is an incoherence: the skill implicitly requires them but doesn't declare them.
Instruction Scope
Instructions stay within TimeCamp functionality (timer/entries/analytics) and include sensible safety prompts (ask before cloning, confirm before modifying entries, show commands). But the data pipeline explicitly fetches 'computer_activities' (desktop app tracking) and writes JSONL data under ~/data and uses ~/.duckdb — this accesses potentially sensitive personal telemetry. The SKILL.md also refers to an ambiguous command 'uv run --with-requirements requirements.txt', which is not a standard, widely-known tool and should be clarified before execution.
Install Mechanism
This is instruction-only (no install spec), so nothing is automatically installed by the registry. However, the runtime guidance clones external GitHub repos and suggests running 'npm link' and other commands that will write and execute code on the user's disk. Cloning arbitrary repos is higher-risk than instruction-only usage and the repos' provenance is not verifiable from the metadata (homepage: none).
Credentials
Only TIMECAMP_API_KEY is required, which is appropriate for a TimeCamp integration. No unrelated credentials are requested. That said, the pipeline will fetch potentially sensitive datasets (computer activities), so limiting the API key's scope and using a dedicated account/token is advisable.
Persistence & Privilege
The skill is not always-enabled, does not request elevated registry privileges, and is user-invocable. It does write/read files under user home when following its instructions (~/utils, ~/data, ~/.duckdb), which is expected for local tooling but should be made explicit to the user.
What to consider before installing
This skill mostly does what it says (interact with TimeCamp and run a data pipeline), but it expects you to clone and run external repositories and tools that the skill metadata doesn't list. Before installing or running it: 1) verify the GitHub repos (https://github.com/timecamp-org/...) are authentic and review their code; 2) ensure you have or are willing to install git, npm, Python and DuckDB (and clarify what 'uv run' means); 3) use a dedicated/limited TIMECAMP_API_KEY (don't expose a full admin key); 4) be aware the pipeline can fetch 'computer_activities' (desktop telemetry) — avoid running that if you don't want local activity data collected; 5) refuse or inspect any automatic 'npm link' or other commands that install code globally. If you want to proceed safely, ask the publisher for a homepage or signed release artifacts and clarification of the 'uv' command and required binaries.Like a lobster shell, security has layers — review code before you run it.
latestvk973kd6kcjx509ne1r9p6naym583ahwy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⏱️ Clawdis
EnvTIMECAMP_API_KEY