RescueTime
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: rescuetime Version: 1.0.0 The skill bundle is designed to fetch productivity data from the RescueTime API using standard `curl` commands. The `SKILL.md` file provides clear instructions for the AI agent on when and how to use the skill, including API endpoints and parameters. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, prompt injection attempts to subvert the agent's behavior, or obfuscation. All actions are aligned with the stated purpose of interacting with the RescueTime API (rescuetime.com).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If provided, the agent can use the RescueTime key to query the user's RescueTime account data.
The skill requires a RescueTime API key. This is expected for the integration, but it grants account-level access to RescueTime productivity data and is not reflected as a primary credential in the supplied metadata.
Requires API key in TOOLS.md or passed directly.
Use a RescueTime API key you are comfortable granting to the agent, avoid pasting it into shared chats or logs, and revoke or rotate it if no longer needed.
Reports generated through this skill may expose sensitive details about how the user spends time on their computer.
The skill explicitly brings personal RescueTime activity data from an external provider into the agent conversation. This is purpose-aligned, but the data can reveal private work habits and app/site usage.
Use when the user asks about their screen time, productivity score, app usage, time tracking, how they spent their day/week, or wants reports on their computer activity.
Request only the date ranges and report types you need, and review outputs before sharing them outside trusted contexts.
A real API key substituted into these commands could be accidentally disclosed if command history or logs are shared.
The documented workflow uses raw curl/API URLs with the API key in a query parameter. This is normal for the RescueTime API examples, but real keys used this way can be exposed in terminal history, logs, or copied command text.
curl "https://www.rescuetime.com/anapi/data?key=API_KEY&format=json&perspective=rank&restrict_kind=activity"
Prefer secure secret handling where available, and do not share command lines or logs containing a real RescueTime API key.