← 返回 Skills 市场
111
总下载
1
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install timedoctor-skill
功能描述
Integrates with TimeDoctor API to pull employee time tracking data, worklogs, statistics, and productivity metrics using simple Python scripts
安全使用建议
This skill appears to be a straightforward TimeDoctor API client, but check these points before installing or using it:
- Credential handling: The agent will prompt for your TimeDoctor email/password to run the login flow and obtain a JWT. Consider creating the token yourself (via curl or the TimeDoctor UI/API) and setting TIMEDOCTOR_TOKEN instead of handing your password to the agent.
- Env var mismatch: SKILL.md expects TIMEDOCTOR_TOKEN and optionally TIMEDOCTOR_COMPANY_ID, but the registry metadata doesn't declare required env vars — make sure you store tokens securely and do not add them to shared shell profiles on multi-user systems.
- Installation: The code requires Python and httpx (pip). Install dependencies in an isolated virtualenv rather than system Python to reduce risk.
- Review code & origin: The repository/author looks like an individual project. If you will use this for production or sensitive data, review the timedoctor.py source yourself (it appears to call only api2.timedoctor.com) and verify there are no unexpected network endpoints or logging of sensitive data.
If you cannot review the code or avoid entering your password, prefer manual token provisioning and limit token lifetime / scope where possible.
功能分析
Type: OpenClaw Skill
Name: timedoctor-skill
Version: 0.1.0
The skill provides a functional integration with the TimeDoctor API but is classified as suspicious due to insecure credential handling and high-risk data access. Specifically, the `login` command in `timedoctor.py` accepts passwords as plaintext command-line arguments, which can expose them in process lists or shell history. Additionally, `SKILL.md` instructs the AI agent to solicit user passwords directly in the chat and extract JWT tokens from responses, risking credential leakage into logs or session history. The skill also includes capabilities to retrieve sensitive employee data, such as screenshots and screencasts (`get_files`), which, while aligned with the stated purpose of employee monitoring, represents a significant privacy risk.
能力评估
Purpose & Capability
Name/description match the included Python CLI (timedoctor.py) which calls TimeDoctor's API endpoints. Required binary python3 and dependency httpx are appropriate for the stated purpose.
Instruction Scope
SKILL.md explicitly instructs the agent to prompt users for TimeDoctor email and password and to run the local CLI to obtain a JWT, then instructs users to export the TIMEDOCTOR_TOKEN. Asking for credentials is within the task of obtaining an auth token but expands the trust surface (agents collecting plaintext passwords). The instructions also check/set environment variables and run local commands — there is no instruction to read unrelated files or exfiltrate data, but the guidance is broad about prompting for credentials and manipulating env vars.
Install Mechanism
No external downloads or executables are fetched; dependency is httpx via pip (requirements.txt included). However the registry metadata says 'No install spec' while SKILL.md/YAML frontmatter declares pip: ['httpx>=0.27.0'] — minor inconsistency in install metadata but the actual install mechanism (pip) is reasonable and low-risk.
Credentials
The skill uses TIMEDOCTOR_TOKEN and optionally TIMEDOCTOR_COMPANY_ID at runtime, but the registry metadata lists no required env vars and primary credential none. That mismatch (runtime env usage vs registry declarations) is inconsistent and may confuse permission/credential handling. The skill also instructs collecting email/password to call the login API — this is expected for obtaining a token but is sensitive and should be highlighted to users.
Persistence & Privilege
No 'always: true' or elevated privileges requested. The skill is user-invocable and the code does not attempt to modify other skills or system-wide configs. It suggests adding exports to shell profiles but that is a user action, not automatic persistence by the skill.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install timedoctor-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/timedoctor-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release of TimeDoctor Skill for Python CLI integration.
- Adds commands to login, retrieve a JWT token, and access multiple companies per account via the TimeDoctor API.
- Allows fetching employee worklogs, productivity statistics, user and project lists using simple command-line scripts.
- Supports filtering by company, user, date range, and handles multiple user accounts via token management.
- Includes detailed agent instructions for onboarding users, managing sessions, and presenting results.
- Provides setup workflows and error handling guidance for environment variables and API authentication.
元数据
常见问题
Timedoctor 是什么?
Integrates with TimeDoctor API to pull employee time tracking data, worklogs, statistics, and productivity metrics using simple Python scripts. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 111 次。
如何安装 Timedoctor?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install timedoctor-skill」即可一键安装,无需额外配置。
Timedoctor 是免费的吗?
是的,Timedoctor 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Timedoctor 支持哪些平台?
Timedoctor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Timedoctor?
由 JehadurRE(@jehadurre)开发并维护,当前版本 v0.1.0。
推荐 Skills