Is 0x7466/kimai-time-tracking safe?

https://github.com/openclaw/skills/tree/main/skills/0x7466/kimai-time-tracking

93
SAFE

This is a clean, well-structured Kimai time-tracking API client with no malicious intent. The Python CLI script uses only standard library modules, communicates exclusively with the user's own configured Kimai instance, and contains no prompt injection, data exfiltration, or hidden execution patterns. Minor risks stem from the --force flag enabling silent destructive operations and cascading deletes that could cause data loss if an agent misuses them.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 96/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

LOW Executable Python script included -8

The skill ships kimai_cli.py, a 450-line Python script that the agent is instructed to execute. While the code is clean and uses only standard library modules, any executable code inherently carries more risk than a pure-prompt skill. The script has been reviewed and contains no dangerous patterns (no eval, exec, subprocess, os.system, or dynamic imports).

LOW --force flag bypasses deletion confirmation -5

Delete commands accept a --force flag that skips the interactive 'Type yes to confirm' prompt. An LLM agent could use this flag to perform destructive operations without the user seeing a confirmation step, especially since the agent controls the command arguments.

LOW Cascading deletes risk significant data loss -8

Deleting a customer cascades to all linked projects, activities, and timesheets. Deleting a project cascades to activities and timesheets. Combined with --force, an agent could inadvertently destroy large amounts of business-critical time-tracking data with a single command.

INFO External documentation URLs referenced -5

SKILL.md references external URLs (kimai.org documentation, API pagination guide) as passive documentation links. These are not fetch directives and pose no injection risk, but are noted for completeness.

INFO API token transmitted to user-configured endpoint -5

The KIMAI_API_TOKEN is sent as a Bearer token to KIMAI_BASE_URL on every API call. This is the expected and correct behavior for an API client. The token is not logged, stored in output, or sent to any other endpoint. Risk exists only if KIMAI_BASE_URL is misconfigured to point to a malicious server, which is outside the skill's control.

INFO Broad API surface includes admin operations -5

The skill exposes user creation, team management, and rate configuration — administrative operations that most users may not need for basic time tracking. While these are legitimate Kimai API features and are gated by server-side permissions, the broad surface area increases the potential impact of agent misuse.