Harvest Time Reporting
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward Harvest API reference skill, but it uses a Harvest bearer token and includes write/delete account actions that users should approve carefully.
Install only if you intend the agent to work with your Harvest account. Provide a narrowly scoped token if possible, and review any create, update, assignment, or delete action before allowing it to run.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token has broad Harvest permissions, the agent could read or change Harvest account data when acting on user requests.
The skill requires a Harvest bearer token and account ID to access the user's Harvest account. This is expected for the integration, but the registry metadata lists no primary credential or required environment variables.
`HARVEST_ACCESS_TOKEN` ... `HARVEST_ACCOUNT_ID` ... `Authorization: Bearer $HARVEST_ACCESS_TOKEN`
Use the least-privileged Harvest token available, keep it secret, and update metadata to declare the credential and required environment variables.
A mistaken command or wrong ID could change or delete time entries, projects, or user assignments in Harvest.
The API reference includes purpose-aligned create, update, assignment, and delete operations against Harvest resources. These are documented examples, not evidence of automatic execution, but they can mutate business records.
#### Delete Project ... `-X DELETE` ... #### Update Time Entry ... `-X PATCH` ... #### Create User Assignment ... `-X POST`
Require clear user intent and confirmation before running POST, PATCH, or DELETE requests, especially for project deletion or assignment changes.