Ticktick Linux
PassAudited by ClawScan on May 1, 2026.
Overview
This skill openly uses a local TickTick CLI to list, create, and complete tasks, but users should verify the CLI and credentials because it can access and change their TickTick tasks.
Install only if you trust the local tickrs binary and are comfortable letting the agent list, create, and complete tasks in the authenticated TickTick account. Protect the TickTick client secret and verify task-completion requests before allowing changes.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could add tasks or mark tasks complete in the connected TickTick account when this skill is used.
The skill exposes local CLI commands that can create and complete TickTick tasks using user-provided parameters. This is aligned with the stated purpose, but it can change account data.
/home/david/.cargo/bin/tickrs task create --json --title "{{title}}" ... /home/david/.cargo/bin/tickrs task complete "{{id}}" --jsonReview task creation/completion requests carefully, especially task IDs, project names, and task text. Keep inputs to expected task values and avoid using this skill for accounts where unintended task changes would be serious.
Whoever can invoke the skill through the agent may be able to list, create, or complete tasks in the authenticated TickTick account.
The skill requires TickTick credential-related environment variables and an authenticated CLI session. This is expected for a TickTick integration, but it grants access to the user's task data.
requires: bins: ["/home/david/.cargo/bin/tickrs"] env: ["TICKTICK_CLIENT_ID", "TICKTICK_CLIENT_SECRET"] ... You must authenticate the CLI first by running: `~/.cargo/bin/tickrs init`
Treat the client secret and authenticated CLI session as account credentials. Use only a trusted local environment and revoke or rotate credentials if they may have been exposed.
The agent will run whatever executable exists at that path, so an unexpected or tampered binary could act outside the documented TickTick workflow.
The skill depends on an external local executable that is not included in the artifact set. The dependency is disclosed and central to the purpose, but its provenance should be checked separately.
requires: bins: ["/home/david/.cargo/bin/tickrs"]
Before installing, confirm that /home/david/.cargo/bin/tickrs is the intended TickTick CLI installed from a trusted source and is not writable by untrusted users.