Is florianrauscha/timesheet safe?

https://github.com/openclaw/skills/tree/main/skills/florianrauscha/timesheet

95
SAFE

The florianrauscha/timesheet skill is a clean, two-file package containing only metadata and CLI documentation for the timesheet.io time tracking tool. No prompt injection, executable code, git hooks, exfiltration mechanisms, or malicious behavior was detected in either the static content or dynamic monitoring. Sensitive file accesses observed in monitoring logs predate skill installation and are attributable to the audit system's canary infrastructure, not the skill itself.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 93/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 87/100 · 5%

Findings (2)

INFO Legitimate external service integration (timesheet.io) -5

All time tracking operations send data to timesheet.io, which is the declared and intended purpose of the skill. Users should understand their work activity data (projects, task descriptions, durations, billable status) will be stored by this third-party service.

INFO Standard sparse-checkout installation from GitHub monorepo 0

Installation uses git sparse-checkout to fetch only the skill subdirectory from the openclaw/skills monorepo. This is the expected installation mechanism for this skill registry.