kimai-time-tracking

The kimai-time-tracking skill consists of a Python script (scripts/kimai_cli.py) that acts as a client for the Kimai REST API. It uses standard Python libraries (urllib.request, json, os, etc.) and does not introduce any external, unverifiable dependencies.

Threat Assessment:

1. Prompt Injection: No patterns indicative of prompt injection were found in any of the skill files.

2. Data Exfiltration: The skill requires KIMAI_BASE_URL and KIMAI_API_TOKEN as environment variables. The KIMAI_API_TOKEN is used in an Authorization: Bearer header for API requests to the KIMAI_BASE_URL. This is standard and appropriate for API authentication. The skill explicitly states that the token is "never logged or stored in CLI output," which is a good practice. However, the core functionality of this skill is to send and receive potentially sensitive time-tracking data (and the API token) to the user-configured KIMAI_BASE_URL. If a user provides a malicious or untrusted KIMAI_BASE_URL, the API token and all data sent via the skill would be exfiltrated to that malicious endpoint. This is an inherent risk of any API client that takes a user-defined endpoint and credentials. The skill itself does not attempt to exfiltrate data to unintended third parties or read other sensitive local files (e.g., ~/.ssh/id_rsa). Export files are saved to a user-specific workspace (~/.openclaw/workspace/kimai) with restricted permissions (600), which is a good security measure.

3. Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, etc.) were detected in any of the provided files.

4. Unverifiable Dependencies: The Python script relies solely on Python's standard library. No external package installations (pip install, npm install, etc.) are required or performed, which is a positive security aspect.

5. Privilege Escalation: No commands or patterns indicative of privilege escalation (e.g., sudo, chmod 777, service installations) were found.

6. Persistence Mechanisms: No attempts to establish persistence (e.g., modifying .bashrc, creating cron jobs, systemd units) were detected.

7. Metadata Poisoning: The _meta.json and SKILL.md files contain standard metadata and descriptions without any hidden or malicious instructions.

8. Indirect Prompt Injection: As a CLI client, the skill processes user input for various API fields. While this data could theoretically contain malicious instructions if later processed by an LLM or displayed in an insecure context within the Kimai system, the skill itself is not an LLM and does not directly expose itself to indirect prompt injection from its own output.

9. Time-Delayed / Conditional Attacks: No time-delayed or conditional logic for malicious behavior was identified.

Conclusion: The skill is a functional and seemingly well-intentioned API client. The primary security consideration is the user's responsibility to provide a trusted KIMAI_BASE_URL and to understand that the KIMAI_API_TOKEN and time-tracking data will be sent to this configured URL. Destructive operations (delete) include an explicit confirmation prompt, which is a good safety feature. Given that the skill's code itself is not malicious and handles credentials in a standard manner, the overall verdict is LOW, reflecting the inherent risks of any API client handling user-provided credentials and network communication.