ClawHub
Back to skill
v1.0.0

Dida365

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:25 AM.

Analysis

This instruction-only skill is coherent for TickTick/Dida365 task management, but it can read and modify tasks across the user's account.

GuidanceThis skill appears appropriate for managing TickTick/Dida365 tasks. Before installing or using it, be aware that it may access tasks across all projects and can change task state or content. For safer use, ask for read-only queries when browsing tasks and require confirmation before creating, moving, completing, or batch-updating tasks.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
Task management via the `mcp__dida__*` MCP tools. Query, create, and update tasks across all projects — no app required.

The skill clearly discloses tool-based task read/write authority across projects. This is purpose-aligned, but task creation, updates, moves, completions, and batch operations can change user account data.

User impactIf used carelessly, the agent could make unwanted changes to tasks, including completing or modifying multiple tasks.
RecommendationConfirm task-changing actions before execution, especially batch updates, moves, or completions.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
`list_projects` | 获取当前账号中的所有清单 ... `projectIds: []` means "all projects" in filter/date queries

The skill operates on the current Dida365 account and can query all projects when project IDs are omitted. This is expected for a task-management integration, but it is broad account access.

User impactThe agent may see task lists and task details across the user's Dida365 account, including personal or work-related items.
RecommendationUse the skill only with the intended account and provide specific project IDs when you want to limit scope.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceMediumStatusNote
SKILL.md
Task management via the `mcp__dida__*` MCP tools.

The skill depends on MCP tools to access and modify Dida365 task data. The artifacts disclose this integration, but do not further describe MCP-side identity, permissions, or data boundaries.

User impactTask titles, descriptions, project IDs, dates, and related account data may pass through the configured Dida365 MCP integration.
RecommendationInstall or invoke this skill only if you trust the configured Dida365 MCP tools and avoid placing highly sensitive information in task fields unless appropriate.