MILKEE Swiss Accounting
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You have less external context for deciding whether to trust the publisher before granting API access.
The skill's provenance is not clearly established by the registry metadata, even though the included artifacts are coherent and the static scan is clean.
Source: unknown Homepage: none
Install only if you trust the owner or have reviewed the included code, and prefer a least-privilege MILKEE API key if available.
Anyone or any agent using this skill with your configured token can access MILKEE data according to that token's permissions.
The skill requires a MILKEE API token and company ID, which are expected for this integration but give the skill delegated access to the user's MILKEE account data.
export MILKEE_API_TOKEN="USER_ID|API_KEY" export MILKEE_COMPANY_ID="YOUR_COMPANY_ID"
Use a scoped or dedicated API token if MILKEE supports it, keep the token out of shared logs/repos, and rotate it if you uninstall or no longer trust the skill.
Mistaken or unintended invocations could create or modify projects, customers, products, tasks, or billable time entries in MILKEE.
The script can create and update MILKEE business objects and post time entries. This is aligned with the advertised accounting/time-tracking purpose, but it is still mutation authority over business records.
result = api_call("POST", "projects", data)
result = api_call("PUT", f"customers/{args.id}", data)
result = api_call("POST", "times", data)Review agent requests before allowing create/update/log-time actions, and verify fuzzy project matches before relying on recorded time.
Work descriptions and project IDs may remain on disk between sessions, and local tampering with the timer file could affect the next logged time entry.
The skill stores timer context locally and later trusts that file when stopping a timer and logging time.
TIMER_FILE = Path.home() / ".milkee_timer" ... json.dump(timer_data, f) ... timer_data = json.load(f)
Avoid putting highly sensitive details in timer descriptions, protect your home directory, and delete ~/.milkee_timer if a timer should be abandoned.