ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wakapi Sync

v0.2.1

Daily Wakapi (WakaTime-compatible) summary → local CSV files. Fetch today stats and append/update CSVs for totals, top projects, and top languages.

0· 685·0 current·0 all-time
by@cosformula
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, declared env vars, and bundled script all align: the script queries Wakapi endpoints and produces CSVs in the configured output directory. Nothing requested (binaries, extra envs, or config paths) is unrelated to the stated purpose.
Instruction Scope
SKILL.md instructs running the included Node script and documents the exact env vars used. The script only calls the Wakapi endpoints, processes JSON, and reads/writes CSVs under WAKAPI_OUT_DIR—no unexpected file reads, shell evals, or external endpoints are present.
Install Mechanism
This is an instruction-only skill with a bundled Node script; there is no install spec or external downloads. It requires Node.js 18+ in the runtime, which is reasonable for an .mjs script.
Credentials
Only three required env vars are declared and used: WAKAPI_URL, WAKAPI_API_KEY, and WAKAPI_OUT_DIR (plus optional TOP_N vars). These directly map to the script's behavior. The primaryEnv is set to WAKAPI_OUT_DIR (a non-secret path); the secret API key is requested and justified by the API calls.
Persistence & Privilege
always is false and the skill does not modify other skills or system-wide settings. It only writes CSV files under the specified output directory, which is expected for its function.
Assessment
This skill appears to do what it says. Before installing, ensure WAKAPI_URL points to a trusted Wakapi server you control and keep WAKAPI_API_KEY secret. Provide an OUT_DIR you expect the skill to write to (it creates directories/files there). Confirm your agent environment has Node.js 18+ and that you are comfortable with the agent being able to invoke the script (autonomous invocation is allowed by default). If you want extra caution, run the script manually once in a sandboxed environment to verify behavior and outputs before enabling automated runs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bghjamk0esqke4dsrhb70h1816r9y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvWAKAPI_URL, WAKAPI_API_KEY, WAKAPI_OUT_DIR
Primary envWAKAPI_OUT_DIR

Comments