← Back to Skills Marketplace
111
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install timedoctor-skill
Description
Integrates with TimeDoctor API to pull employee time tracking data, worklogs, statistics, and productivity metrics using simple Python scripts
Usage Guidance
This skill appears to be a straightforward TimeDoctor API client, but check these points before installing or using it:
- Credential handling: The agent will prompt for your TimeDoctor email/password to run the login flow and obtain a JWT. Consider creating the token yourself (via curl or the TimeDoctor UI/API) and setting TIMEDOCTOR_TOKEN instead of handing your password to the agent.
- Env var mismatch: SKILL.md expects TIMEDOCTOR_TOKEN and optionally TIMEDOCTOR_COMPANY_ID, but the registry metadata doesn't declare required env vars — make sure you store tokens securely and do not add them to shared shell profiles on multi-user systems.
- Installation: The code requires Python and httpx (pip). Install dependencies in an isolated virtualenv rather than system Python to reduce risk.
- Review code & origin: The repository/author looks like an individual project. If you will use this for production or sensitive data, review the timedoctor.py source yourself (it appears to call only api2.timedoctor.com) and verify there are no unexpected network endpoints or logging of sensitive data.
If you cannot review the code or avoid entering your password, prefer manual token provisioning and limit token lifetime / scope where possible.
Capability Analysis
Type: OpenClaw Skill
Name: timedoctor-skill
Version: 0.1.0
The skill provides a functional integration with the TimeDoctor API but is classified as suspicious due to insecure credential handling and high-risk data access. Specifically, the `login` command in `timedoctor.py` accepts passwords as plaintext command-line arguments, which can expose them in process lists or shell history. Additionally, `SKILL.md` instructs the AI agent to solicit user passwords directly in the chat and extract JWT tokens from responses, risking credential leakage into logs or session history. The skill also includes capabilities to retrieve sensitive employee data, such as screenshots and screencasts (`get_files`), which, while aligned with the stated purpose of employee monitoring, represents a significant privacy risk.
Capability Assessment
Purpose & Capability
Name/description match the included Python CLI (timedoctor.py) which calls TimeDoctor's API endpoints. Required binary python3 and dependency httpx are appropriate for the stated purpose.
Instruction Scope
SKILL.md explicitly instructs the agent to prompt users for TimeDoctor email and password and to run the local CLI to obtain a JWT, then instructs users to export the TIMEDOCTOR_TOKEN. Asking for credentials is within the task of obtaining an auth token but expands the trust surface (agents collecting plaintext passwords). The instructions also check/set environment variables and run local commands — there is no instruction to read unrelated files or exfiltrate data, but the guidance is broad about prompting for credentials and manipulating env vars.
Install Mechanism
No external downloads or executables are fetched; dependency is httpx via pip (requirements.txt included). However the registry metadata says 'No install spec' while SKILL.md/YAML frontmatter declares pip: ['httpx>=0.27.0'] — minor inconsistency in install metadata but the actual install mechanism (pip) is reasonable and low-risk.
Credentials
The skill uses TIMEDOCTOR_TOKEN and optionally TIMEDOCTOR_COMPANY_ID at runtime, but the registry metadata lists no required env vars and primary credential none. That mismatch (runtime env usage vs registry declarations) is inconsistent and may confuse permission/credential handling. The skill also instructs collecting email/password to call the login API — this is expected for obtaining a token but is sensitive and should be highlighted to users.
Persistence & Privilege
No 'always: true' or elevated privileges requested. The skill is user-invocable and the code does not attempt to modify other skills or system-wide configs. It suggests adding exports to shell profiles but that is a user action, not automatic persistence by the skill.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install timedoctor-skill - After installation, invoke the skill by name or use
/timedoctor-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release of TimeDoctor Skill for Python CLI integration.
- Adds commands to login, retrieve a JWT token, and access multiple companies per account via the TimeDoctor API.
- Allows fetching employee worklogs, productivity statistics, user and project lists using simple command-line scripts.
- Supports filtering by company, user, date range, and handles multiple user accounts via token management.
- Includes detailed agent instructions for onboarding users, managing sessions, and presenting results.
- Provides setup workflows and error handling guidance for environment variables and API authentication.
Metadata
Frequently Asked Questions
What is Timedoctor?
Integrates with TimeDoctor API to pull employee time tracking data, worklogs, statistics, and productivity metrics using simple Python scripts. It is an AI Agent Skill for Claude Code / OpenClaw, with 111 downloads so far.
How do I install Timedoctor?
Run "/install timedoctor-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Timedoctor free?
Yes, Timedoctor is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Timedoctor support?
Timedoctor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Timedoctor?
It is built and maintained by JehadurRE (@jehadurre); the current version is v0.1.0.
More Skills