Task Sync
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: task-sync Version: 2.0.3 The OpenClaw AgentSkills skill bundle for 'task-sync' is classified as benign. All code and documentation align with the stated purpose of synchronizing tasks between TickTick and Google Tasks. The OAuth setup scripts (`scripts/setup_google_tasks.py`, `scripts/setup_ticktick.py`) handle sensitive API tokens, but do so in a standard manner for desktop applications, saving them locally without exfiltration. The main sync logic (`sync.py`) and API wrappers (`utils/google_api.py`, `utils/ticktick_api.py`) perform expected operations within the defined API scopes. There is no evidence of malicious execution, persistence mechanisms beyond transparent cron scheduling, obfuscation, or prompt injection attempts in `SKILL.md` or `README.md` that would instruct an AI agent to perform harmful or unauthorized actions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A missing, renamed, temporarily unavailable, or wrongly mapped TickTick project could cause a Google task list to be deleted when sync runs.
The sync code can delete an existing Google Tasks list automatically when the mapped TickTick project is absent. This is a high-impact account mutation and the user-facing SKILL.md/README emphasize creation, sync, and stale smart-list cleanup more than destructive list deletion.
if gid in g_idx and tid not in t_idx:
log.info("TickTick project deleted, removing Google list: %s", g_idx[gid]["title"])
...
self.google.delete_list(gid)Before scheduled use, add or require a dry-run mode, explicit confirmation for list deletion, backups, and clearer documentation of deletion rules and recovery steps.
The skill can read, create, update, complete, and delete task data in the connected Google account.
The Google OAuth scope grants read/write access to Google Tasks, which is expected for bidirectional sync but gives the skill meaningful authority over the user's task data.
SCOPES = ["https://www.googleapis.com/auth/tasks"]
Use a Google account and OAuth client you control, review the consent screen, and revoke the token if you stop using the sync.
Private task names and notes from one service can be replicated into the other service.
Task titles and notes may contain private information and are intentionally copied between TickTick and Google Tasks. This is core to the skill, but users should notice the cross-provider data movement.
Sync task title, completion status, and notes/content bidirectionally.
Only connect accounts where this data sharing is acceptable, and avoid syncing lists that contain sensitive notes unless both providers are trusted.
If enabled, the sync may keep creating, updating, completing, or deleting tasks on both services every few minutes.
The skill documents recurring background execution. That is expected for a sync tool, but it means account changes can continue after the initial setup.
# Cron: every 10 minutes
*/10 * * * * /path/to/python {baseDir}/sync.py >> /path/to/sync.log 2>&1
Use OpenClaw cron if available.Enable scheduling only after testing a manual run, and know how to disable the cron/OpenClaw cron job.
The exact dependency versions installed may vary over time.
The skill relies on manual installation of unpinned Python packages. This is common and purpose-aligned, but there is no install spec or lockfile in the provided artifacts.
pip install google-auth google-auth-oauthlib google-api-python-client requests
Install in an isolated virtual environment and consider pinning reviewed dependency versions before production use.