Back to skill

Security audit

滴答清单

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed helper for managing Dida tasks through a CLI, with expected account login and task-changing commands.

Install only if you trust @suibiji/dida-cli and are comfortable granting it access to your Dida account. Prefer the browser OAuth flow over pasting an API token, review selected projects/tasks before changes, and require explicit confirmation before delete or bulk cleanup commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest description uses broad trigger terms like 'tasks, to-dos, reminders, or event', which can cause the skill to be invoked for a wide range of user requests beyond the intended Dida CLI scope. Over-broad routing increases the chance an agent selects this skill inappropriately and executes external CLI actions or login flows when a narrower, less risky skill or a simple response would have been more appropriate.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.