Clockify

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Clockify integration that can read and change Clockify data through Membrane, with no hidden code or deceptive behavior found.

Install only if you are comfortable connecting Clockify through Membrane. Review the target workspace, action, and input before create, update, or proxy requests, prefer listed Membrane actions over raw proxy calls, and revoke the Membrane connection when you no longer need it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises create and update operations against external Clockify data without warning that these actions mutate live records. In an agent setting, this increases the risk of unintended writes, especially if the orchestration layer invokes actions based on loose user intent or without explicit confirmation for state-changing operations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal