Dida365

Security checks across malware telemetry and agentic risk

Overview

This TickTick/Dida365 task skill appears purpose-aligned, but its broad activation and write-capable task operations need user review before installation.

Review this skill before installing. Only use it when you intend the assistant to access your TickTick/Dida365 account, and require confirmation before creating, updating, moving, or completing tasks, especially for bulk or work-related lists.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

High

Confidence: 96% confidence
Finding: The trigger description is overly broad because it says to invoke the skill for general 'tasks, to-do lists, projects ... even if they don't say TickTick explicitly.' In an agent setting, that can cause the skill to activate for unrelated task-management requests and route user data or actions into the TickTick/Dida365 toolchain without clear product-specific user intent, increasing the risk of unintended reads or modifications.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documents state-changing operations such as create, update, move, and complete without any explicit warning or confirmation guidance. In practice, this makes accidental task modification more likely, especially when combined with the broad invocation rule, because the agent may perform destructive or irreversible task actions without making the user aware that external data will be changed.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal