Teambition Worklog
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: teambition-worklog Version: 0.5.0 The skill automates Teambition worklog entries by analyzing local Git commits and interacting with the Teambition API. It is classified as suspicious because it requires high-risk capabilities to function: it explicitly instructs the AI agent to read sensitive session cookies (TEAMBITION_SESSIONID) and access tokens from a local file (~/.workbuddy/.env) and use them in curl-based network requests to teambition.com. While these actions are aligned with the stated purpose, the handling of raw authentication credentials and the execution of shell scripts (teambition-api.sh and analyze-git-commits.sh) that process local repository data represent a significant security surface. No evidence of intentional malice, such as exfiltration to unauthorized third-party domains, was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act with the privileges of the copied Teambition browser session, and incorrect default identity headers could cause requests to target the wrong organization or user context.
The script reads Teambition session credentials from a persistent local env file and falls back to hardcoded organization/user IDs for authenticated requests.
ENV_FILE="${WORKBUDDY_ENV_FILE:-$HOME/.workbuddy/.env}"
DEFAULT_ORG_ID="5ca572ed159b120001311c75"
DEFAULT_USER_ID="5d1d61806c546600012146ed"
...
build_cookie() {
local c="TEAMBITION_SESSIONID=${TEAMBITION_SESSIONID}; TB_ACCESS_TOKEN=${TB_ACCESS_TOKEN}; ..."Only use this with your own correct ORG_ID and USER_ID configured, keep the .env file private, prefer least-privilege credentials if available, and do not rely on the hardcoded defaults.
If the AI matches commits to the wrong task or date, it could create, change, or delete business worklog records.
The advertised workflow includes automatic worklog filling plus modification and deletion of Teambition work-time records.
AI 辅助 Teambition 工时填写:Git 提交 → 任务匹配 → 自动填工时(支持工时查重、修改、删除、汇总;查看进行中任务、项目活跃动态)
Review the proposed task/date/hour entries before submission, and require explicit confirmation for any add, update, or delete operation.
A user may underestimate the setup requirements and the credential sensitivity before installing or invoking the skill.
The bundled metadata declares required credentials and binaries even though the registry-style requirements say there are no required env vars, binaries, or primary credential.
"env_vars": { "TEAMBITION_SESSIONID": { "required": true }, ... "TB_ACCESS_TOKEN": { "required": true } },
"dependencies": { "tools": ["Bash", "Read", "Write"], "bins": ["git", "curl", "python3"] }Treat the skill as requiring Teambition credentials and local command execution; verify the scripts and dependencies before use.