Time Tracker By Ebillity
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Membrane-based Time Tracker integration, but it gives the agent broad authenticated API access that can change or delete business time-tracking data without clear safety boundaries.
Install only if you intend to give Membrane-mediated access to your Time Tracker by eBillity account. Before allowing write, update, delete, or raw proxy requests, confirm the exact operation and use the least-privileged account available. Pin or verify the Membrane CLI package before installing it globally.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could change or delete time entries, projects, clients, expenses, or related business records through the connected account.
The skill documents a raw authenticated API escape hatch with write and delete methods. For a business time-tracking and expense system, this can mutate or remove records, but the artifact does not define user-confirmation, scope, rollback, or containment rules.
When the available actions don't cover your use case, you can send requests directly to the Time Tracker by eBillity API through Membrane's proxy... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Use the integration only with explicit user approval for non-read actions. Prefer listed Membrane actions over raw proxy requests, verify the endpoint, method, and request body before running, and use a least-privileged eBillity account where possible.
The connected Membrane account may be able to access and operate on eBillity data according to the permissions granted during authentication.
The skill requires Membrane login and connection authentication for Time Tracker by eBillity. This is expected for the integration, but it grants delegated account access and automatic credential refresh.
Membrane handles authentication and credentials refresh automatically... `membrane login --tenant --clientName=<agentType>`... The user completes authentication in the browser.
Authenticate only to the intended tenant/account, review granted permissions, avoid admin credentials unless necessary, and revoke the Membrane connection when it is no longer needed.
The installed CLI version could change over time, and users are trusting the npm package publisher and current package contents.
The skill relies on installing and running the latest Membrane CLI package from npm. This is central to the stated purpose, but @latest is unpinned and global installation executes third-party package code.
`npm install -g @membranehq/cli@latest` and `npx @membranehq/cli@latest action list ...`
Install the CLI from a trusted environment, consider pinning a reviewed version, and verify the package publisher before installation.