Teambition Worklog
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly purpose-aligned, but it needs Review because it uses full Teambition session credentials and can change business work-time records.
Review before installing. This skill is coherent for filling Teambition worklogs, but it asks you to store Teambition browser-session credentials locally and can modify or delete work-time records. Set your own ORG_ID and USER_ID, protect ~/.workbuddy/.env, inspect proposed worklog changes before approving them, and avoid running the integration tests unless you are comfortable with them querying your Teambition account.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act with the privileges of the copied Teambition browser session, and incorrect default identity headers could cause requests to target the wrong organization or user context.
The script reads Teambition session credentials from a persistent local env file and falls back to hardcoded organization/user IDs for authenticated requests.
ENV_FILE="${WORKBUDDY_ENV_FILE:-$HOME/.workbuddy/.env}"
DEFAULT_ORG_ID="5ca572ed159b120001311c75"
DEFAULT_USER_ID="5d1d61806c546600012146ed"
...
build_cookie() {
local c="TEAMBITION_SESSIONID=${TEAMBITION_SESSIONID}; TB_ACCESS_TOKEN=${TB_ACCESS_TOKEN}; ..."Only use this with your own correct ORG_ID and USER_ID configured, keep the .env file private, prefer least-privilege credentials if available, and do not rely on the hardcoded defaults.
If the AI matches commits to the wrong task or date, it could create, change, or delete business worklog records.
The advertised workflow includes automatic worklog filling plus modification and deletion of Teambition work-time records.
AI 辅助 Teambition 工时填写:Git 提交 → 任务匹配 → 自动填工时(支持工时查重、修改、删除、汇总;查看进行中任务、项目活跃动态)
Review the proposed task/date/hour entries before submission, and require explicit confirmation for any add, update, or delete operation.
A user may underestimate the setup requirements and the credential sensitivity before installing or invoking the skill.
The bundled metadata declares required credentials and binaries even though the registry-style requirements say there are no required env vars, binaries, or primary credential.
"env_vars": { "TEAMBITION_SESSIONID": { "required": true }, ... "TB_ACCESS_TOKEN": { "required": true } },
"dependencies": { "tools": ["Bash", "Read", "Write"], "bins": ["git", "curl", "python3"] }Treat the skill as requiring Teambition credentials and local command execution; verify the scripts and dependencies before use.