Integrate with the Harvest API to manage time entries, projects, tasks, clients, and user assignments for detailed time tracking and reporting.
Security Analysis
high confidenceThe skill's instructions match a Harvest API integration, but the skill listing fails to declare the required credentials (HARVEST_ACCESS_TOKEN and HARVEST_ACCOUNT_ID), creating an incoherence that could lead to credential mishandling or unnoticed secret requirements.
The SKILL.md provides a straightforward Harvest API integration (time entries, projects, etc.), which aligns with the skill name. However the published metadata has no description and does not declare the environment variables that the instructions require, so the manifest does not fully represent the skill's real purpose and needs.
The runtime instructions explicitly require two environment variables (HARVEST_ACCESS_TOKEN and HARVEST_ACCOUNT_ID) and show curl examples that will send those credentials to https://api.harvestapp.com/v2. The SKILL.md does not ask the agent to read unrelated files or other system secrets, but it does rely on environment-stored secrets that are not declared in the registry metadata — a discrepancy that matters for reviewers and for automated provisioning/permission controls.
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk and no external packages are fetched. That limits installation risk.
The skill requires two sensitive values (a bearer token and an account ID) according to SKILL.md, but the registry entry lists no required environment variables or primary credential. The required secrets are proportional to the Harvest integration itself, but the manifest omission is a mismatch that can hide credential needs from users and automated checks.
The skill does not request always:true and has no install actions that modify other skills or system-wide settings. It relies on runtime network calls, which is expected for an API integration.
Guidance
This skill appears to be a normal Harvest API integration, but the package metadata omitted the two environment variables the instructions require. Before installing or enabling it: (1) treat HARVEST_ACCESS_TOKEN as a secret — create a least-privilege Harvest personal access token for this use and rotate it if shared; (2) confirm the skill manifest is corrected to declare HARVEST_ACCESS_TOKEN and HARVEST_ACCOUNT_ID so automated tooling and reviewers can see the requirement; (3) verify the skill's source/owner (unknown here) and prefer skills from known maintainers; (4) if you allow the agent to use this skill, ensure your agent's network and secret-management policies prevent accidental exfiltration and that the token will only be sent to api.harvestapp.com; and (5) if you are uncomfortable with providing credentials, consider using a proxy service or human-in-the-loop for actions that require the token.
Latest Release
v1.0.0
Initial release of the Harvest Time Tracking API skill. - Provides integration with Harvest's time tracking API (v2). - Supports management of time entries, projects, tasks, and clients through documented endpoints. - Includes setup instructions with required environment variables and authentication headers. - Offers detailed cURL examples for listing, creating, updating, and deleting entities. - Supports user and task assignments within projects.
More by @zachgodsell93
Published by @zachgodsell93 on ClawHub
