Back to skill

Security audit

TickTick

Security checks across malware telemetry and agentic risk

Overview

This is a coherent TickTick CLI helper, but users should prefer browser OAuth and handle API tokens carefully.

Install only if you trust the TickTick CLI package. Use browser OAuth when possible. Avoid pasting API tokens into chat or command lines; if a token is required for a headless setup, treat it as sensitive and revoke it if exposed. Review task previews carefully before confirming deletions or bulk changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents a direct API token entry flow for headless environments but does not warn that the token is a sensitive secret that must not be echoed, logged, persisted in chat history, or exposed in terminal history. In an agent context, this increases the chance the agent will ask the user to paste a long-lived credential directly into the conversation or command line, where it may be retained or surfaced to other tools.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.