ClawHub

TickTick CLI

v1.0.0

Manage TickTick tasks and projects from the command line with OAuth2 auth, batch operations, and rate limit handling.

21· 5.4k·26 current·28 all-time
by@manuelhettich
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The code, commands, and SKILL.md all implement a TickTick CLI using OAuth2 and the TickTick API as claimed. One minor mismatch: the runtime commands in SKILL.md use 'bun run', but the skill metadata does not declare bun (or any required binary). Requiring Bun is reasonable for this project, but it should have been listed as a required binary.
Instruction Scope
Runtime instructions in SKILL.md match the code: register a TickTick developer app, run the OAuth flow, and use the provided commands. The instructions only read/write the skill's credential file (~/.clawdbot/credentials/ticktick-cli/config.json) and call TickTick endpoints; they do not ask the agent to read unrelated system files or transmit data to unexpected endpoints.
Install Mechanism
There is no install spec (instruction-only), which is low risk. The package includes source files (TypeScript) and expects Bun to run them; the absence of an install step is acceptable but the skill should declare 'bun' as a required runtime. Dependencies are standard (commander, open) and are not fetched via an untrusted URL.
Credentials
The skill requests no environment variables and stores OAuth client ID/secret and tokens in a local config file under the skill's own directory. This is proportionate to its purpose. Note: tokens/credentials are stored in plaintext JSON (the code attempts to set restrictive file perms 700/600) — treat that file as sensitive.
Persistence & Privilege
The skill does not request permanent/global privileges and 'always' is false. It stores credentials in its own directory and does not modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it says: a local TickTick CLI that uses OAuth2 and stores tokens locally. Before installing, consider: 1) The CLI expects the Bun runtime (SKILL.md uses 'bun run') but the metadata didn't declare it — ensure you have Bun or adapt commands to your environment (node/ts-node) if needed. 2) You will need to register a TickTick developer app and provide Client ID and Client Secret; those credentials and the resulting access/refresh tokens are stored in plaintext JSON at ~/.clawdbot/credentials/ticktick-cli/config.json (the code sets restrictive file perms but the file contents are not encrypted). Keep that file secure and don't share it. 3) The skill's source is 'unknown' and no homepage is provided — if you don't trust the publisher, review the included source files yourself or run the CLI in an isolated environment. 4) If you plan to let an autonomous agent use this skill, be aware the agent will have access to perform actions (create/update/complete/delete/abandon tasks) on your TickTick account — grant only the client permissions you intend and monitor activity.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c3ztp3m164dv3wbf7bg89597yrzfg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments