Ticktick Linux

Security checks across malware telemetry and agentic risk

Overview

This skill transparently lets an agent list, create, and complete TickTick tasks through a local TickTick CLI, with no evidence of hidden or unrelated behavior.

Install only if you trust the local tickrs binary and are comfortable letting the agent operate on the authenticated TickTick account. Treat the TickTick client secret and CLI session as credentials, and confirm task creation or completion requests before allowing the agent to make changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The skill exposes commands that create and complete TickTick tasks against a real remote account, but the documentation does not clearly warn that these operations modify live user data. This increases the chance of unintended state changes, especially when an agent or user treats the skill as informational rather than mutating.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal