TickTick API
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Authorizing the integration can allow the configured CLI or token to read and modify TickTick tasks.
The skill requires OAuth client credentials and user authorization for TickTick account access. This is purpose-aligned, but it grants delegated access to the user's task data.
ticktick-setup <client_id> <client_secret>
Only authorize an app and CLI you trust, keep the client secret private, and revoke the TickTick authorization if you stop using the skill.
A mistaken project ID or task ID could mark the wrong task complete or delete it.
The documented commands can complete or delete tasks. These actions match the stated purpose, but they mutate account data and should be user-directed.
ticktick complete <project_id> <task_id> ticktick delete <project_id> <task_id>
Confirm task and project IDs before completing or deleting tasks, and prefer explicit user confirmation for deletions.
Users need to know which `ticktick-setup` or `ticktick` executable they are running, especially because setup handles OAuth credentials.
The skill depends on a local setup helper, but the supplied artifacts include no install spec, code, or required-binary declaration for that helper. This is a provenance gap rather than evidence of hidden behavior.
Requires OAuth setup via `ticktick-setup`.
Install the TickTick CLI/helper only from a trusted source, and the package should declare its required binaries and credential setup more explicitly.