ClawHub

Toggl Track

v1.0.0

Manage Toggl Track time entries, projects, clients, tags, and workspaces via API with OAuth authentication and CRUD operations.

0· 577·0 current·0 all-time
by@byungkyu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Toggl Track API via managed OAuth) match the instructions: all API calls are routed to a Maton gateway/ctrl endpoints and the skill declares the MATON_API_KEY environment variable which is required to use that gateway. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
SKILL.md instructs the agent to make HTTP requests to https://gateway.maton.ai and https://ctrl.maton.ai, read MATON_API_KEY from environment, and open an OAuth URL in a browser to complete authorization. These actions are expected for a proxy/OAuth integration, but they do mean all Toggl API traffic and OAuth flows go through Maton (i.e., a third party).
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is downloaded or written to disk by the skill itself. This is the lowest-risk install model.
Credentials
Only one environment variable is required (MATON_API_KEY), which maps directly to the gateway authentication mechanism described. No unrelated secrets or multiple credentials are requested.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request persistent elevated privileges or modify other skills/settings. The agent will be able to call the skill autonomously by default (platform normal), but that is not unusual and is not combined with other red flags here.
Assessment
This skill appears to do what it says: it proxies Toggl Track API calls through Maton and needs only MATON_API_KEY. Before installing, consider the privacy/trust tradeoffs: Maton will see your Toggl requests and will hold OAuth connections and credentials on your behalf. If you are comfortable routing your time-tracking data through maton.ai/ctrl.maton.ai, this is coherent. If you prefer direct integration, look for a skill that calls api.track.toggl.com directly or verify Maton’s privacy/security practices (source repo, documentation, terms, ability to revoke tokens). Also avoid supplying other unrelated credentials and consider limiting agent autonomy if you do not want it to perform API actions without explicit confirmation.

Like a lobster shell, security has layers — review code before you run it.

latestvk972zehs8bfycv70xymcdp8675814d14

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
EnvMATON_API_KEY

Comments