Back to skill

Security audit

TickTick Tasks

Security checks across malware telemetry and agentic risk

Overview

This TickTick skill is a straightforward task-management integration with disclosed OAuth setup and task actions, including deletion.

Install only if you trust the external `ticktick` and `ticktick-setup` commands on your machine. Before providing a TickTick client secret, verify which executable will run, and review project/task IDs carefully before approving complete or delete actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly documents a destructive delete operation but provides no warning, confirmation guidance, or recommendation to verify task identity before deletion. In an agent-driven context, this increases the risk of unintended or irreversible data loss if the model misinterprets a user request or acts on ambiguous task identifiers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.