Back to skill
Skillv1.0.4
ClawScan security
滴答清单 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 9, 2026, 5:11 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are generally consistent with a CLI-based client for 滴答清单 (Dida); the guidance is limited to installing and using a dida CLI and performing task operations, but you should verify the npm package origin before installing globally.
- Guidance
- This skill appears coherent for controlling a Dida CLI, but before installing or running anything: 1) verify the npm package @suibiji/dida-cli on the npm registry (publisher, repo link, stars/downloads) to ensure it’s trustworthy and actually provides the 'dida' binary; 2) be cautious about running global npm installs (they modify your system PATH and may require elevated permissions); 3) expect the CLI to open a browser for OAuth or to accept an API token you must obtain from your account—keep that token private and only paste it into trusted CLIs; 4) confirm any destructive commands (delete/move) with the user before executing; and 5) if you’re unsure about the package origin, prefer using the official client on the vendor site or contacting Dida support/documentation for an official CLI.
Review Dimensions
- Purpose & Capability
- noteThe name, description, and runtime instructions all focus on using a dida CLI to manage tasks and projects, which aligns with the declared purpose. One small mismatch: the SKILL.md instructs installing the npm package @suibiji/dida-cli (a third‑party-scoped package) while the homepage is dida365.com; this is plausible (a community CLI) but worth verifying the package's provenance before installing.
- Instruction Scope
- okSKILL.md confines agent actions to verifying/ installing the dida CLI, performing OAuth PKCE login or token-based auth, listing/creating/updating/moving/deleting tasks, and preferring --json for structured output. It does not instruct the agent to read unrelated files, environment variables, or exfiltrate data.
- Install Mechanism
- noteThere is no automated install spec in the registry; the instructions tell the agent/user to run 'npm install -g @suibiji/dida-cli'. Installing a global npm package is a reasonable way to get a CLI, but global installs alter the user's system and require privileges. Also verify the npm package (publisher, repository, and downloads) before running a global install because the package scope differs from the official site.
- Credentials
- okThe skill declares no required environment variables or credentials. The instructions rely on interactive OAuth (browser) or a user-supplied API token entered via the CLI, which is proportionate to a CLI that needs authenticated access. The skill does not request unrelated secrets.
- Persistence & Privilege
- okThe skill is instruction-only, does not set 'always: true', and does not request persistent agent privileges or modify other skills. It instructs the agent to avoid logging out or performing destructive actions without explicit user consent.