ClawHub

Harvest Time Reporting

v1.0.0

Integrate with the Harvest API to manage time entries, projects, tasks, clients, and user assignments for detailed time tracking and reporting.

3· 1.7k·0 current·0 all-time
by@zachgodsell93
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The SKILL.md provides a straightforward Harvest API integration (time entries, projects, etc.), which aligns with the skill name. However the published metadata has no description and does not declare the environment variables that the instructions require, so the manifest does not fully represent the skill's real purpose and needs.
!
Instruction Scope
The runtime instructions explicitly require two environment variables (HARVEST_ACCESS_TOKEN and HARVEST_ACCOUNT_ID) and show curl examples that will send those credentials to https://api.harvestapp.com/v2. The SKILL.md does not ask the agent to read unrelated files or other system secrets, but it does rely on environment-stored secrets that are not declared in the registry metadata — a discrepancy that matters for reviewers and for automated provisioning/permission controls.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk and no external packages are fetched. That limits installation risk.
!
Credentials
The skill requires two sensitive values (a bearer token and an account ID) according to SKILL.md, but the registry entry lists no required environment variables or primary credential. The required secrets are proportional to the Harvest integration itself, but the manifest omission is a mismatch that can hide credential needs from users and automated checks.
Persistence & Privilege
The skill does not request always:true and has no install actions that modify other skills or system-wide settings. It relies on runtime network calls, which is expected for an API integration.
What to consider before installing
This skill appears to be a normal Harvest API integration, but the package metadata omitted the two environment variables the instructions require. Before installing or enabling it: (1) treat HARVEST_ACCESS_TOKEN as a secret — create a least-privilege Harvest personal access token for this use and rotate it if shared; (2) confirm the skill manifest is corrected to declare HARVEST_ACCESS_TOKEN and HARVEST_ACCOUNT_ID so automated tooling and reviewers can see the requirement; (3) verify the skill's source/owner (unknown here) and prefer skills from known maintainers; (4) if you allow the agent to use this skill, ensure your agent's network and secret-management policies prevent accidental exfiltration and that the token will only be sent to api.harvestapp.com; and (5) if you are uncomfortable with providing credentials, consider using a proxy service or human-in-the-loop for actions that require the token.

Like a lobster shell, security has layers — review code before you run it.

latestvk9725z3savz002etj9kzay4q8h80ck8k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments